Ransomware developers learn from the mistakes of WannaCry and NotPetya

2 months ago
Eric Vanderburg

The WannaCry ransomware attack earlier this year infected more than 230,000 computers in 150 countries within one day of its release. It received a huge amount of media coverage and created widespread concern for ransomware protection.

Estimates of the total damages from WannaCry range from several hundred million to $4 billion. About a month later, NotPetya ransomware caused an estimated $300 million in damages.

Those estimates are certainly high. But it could have been much worse, if it weren’t for some flaws in the WannaCry and NotPetya code. And you can bet that in the future, ransomware developers will do their best to avoid making the same mistakes.

WannaCry flaws revealed
WannaCry suffered from three main flaws that limited its damage and earning potential, They include a web-based kill switch, poor handling of bitcoin payments and ineffective payment tracking.

WannaCry developers incorrectly implemented a feature designed to disable its file-encrypting capabilities when running in a virtual machine. This feature may have been something that was not fully implemented yet. WannaCry’s code relied on a URL that allowed it to contact its command and control server for instructions to encrypt data or remain dormant. However, this URL was hardcoded rather than a dynamically generated, so it was easy for a researcher to set up a site at the URL to prevent further encryption by the ransomware. The authors of the ransomware updated the ransomware with a new address, but this address was quickly identified and registered by researchers to prevent further encryption.

The WannaCry developers’ second mistake was their poor handling of bitcoin payments. Cybercriminals typically assign a unique bitcoin address for each victim and then combine those bitcoin wallets into others to be shuffled around and then cashed out. However, WannaCry used only one of four bitcoin addresses which allowed law enforcement and security researchers to easily monitor the transactions in the blockchain. This also made it much more difficult for payments to be cashed out.

WannaCry’s ineffective payment tracking was the third mistake. WannaCry did not assign a unique identifier to victims and used shared bitcoin wallets so the processing of payments and distribution of decryption keys could not be automated. Cybercriminals had to manually identify which ransom was being paid so that the correct key could be sent.

NotPetya not great at decryption
Similarly, NotPetya also had several significant flaws including faulty encryption that made decryption impossible and it only offered victims one way to communicate with the ransomware’s distributors. These flaws limited significantly diminished the attackers’ earning potential.

Ransomware usually generates an ID that is necessary to obtain the decryption key. However, NotPetya generates a random ID that is not related to the encrypted data at all. This installation ID cannot be used to retrieve a decryption key.

NotPetya required victims to email proof of their payment to receive decryption keys. The email address was hardcoded into the ransomware, and when this email address was disabled, the cybercriminals could not determine which victims sent payments. Once victims learned about the decryption flaw and figured out that the payment email was disabled, they stopped sending in payments altogether.

Next steps for ransomware
In the wake of these attacks, criminals will improve their techniques. As a result, you can expect to see even more effective ransomware on the horizon. While some have theorized that the goal of WannaCry and NotPetya was destruction rather than profit, other cybercriminals are sure to take advantage of the most effective elements of these ransomware viruses and implement them without such flaws.

Protect yourself by ensuring that your data is effectively backed up so that when ransomware strikes, you can restore data and move on without paying a ransom. Attackers may be relentless, but you don’t have to be a victim.

Ready for more? Learn the 10 Ks of protecting your data from ransomware today!