Home / News I have a News Tip

Major Flaw Found in WannaCry Raises Questions on Whether it was Really a Ransomware

WannaCry's Decryptor interface – Image shows WannaCry providing two methods of communication with the attackers: the “Contact Us” link and the “Check Payment” button on the main decryptor interface (Source: McAfee)

An extensive analysis of WannaCry seems to indicate attackers would be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis. In other words, those behind the campaign would not (or could not) decrypt victims’ data once they received payment. The research team from McAfee that conducted the analysis finds the flaw to be somewhat puzzling given the WannaCry campaign's incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments.

Odd negligence: "The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as 'shoddy,' the use of good technical governance suggests that there are elements of this campaign that are well implemented."

Shoddy campaign: "This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory."

Follow CircleID on
Related topics: Cyberattack, Cybersecurity, Malware

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

They are criminals seeking payment. Why would Charles Christopher  –  Jun 09, 2017 7:44 AM PDT

They are criminals seeking payment. Why would they care about the victims data after they were paid?

"Good guys" would care, but they ask would not author malware.

Let me add one more thing. So Charles Christopher  –  Jun 09, 2017 7:53 AM PDT

Let me add one more thing. So let us ASSuME for a moment that the authors are "honest thieves" (by definition, no such thing exists), how then were they to decrypt the victim's hard drive and then, since they are "honest thieves" insure the malware does not again encrypt the same victim's drive after they pay? To do so would, by necessity, creates a "feature" which could be used to defeat the malware in the first place.

That is one give the malware the marker indicating the victim "is not to be victimized again", honest thieves indeed ...

To post comments, please login or create an account.



IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias


Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign


Sponsored byThreat Intelligence Platform