WannaCry: Don't pay the ransom, inept hackers have DDoSed themselves with payment requests

If you've been hit by the WannaCry ransomware attack and are contemplating just paying the ransom to get your data back, please don't bother.

IBM Security says that paying the ransom is pointless because even if you pay, the hackers aren't able to send you the key to decrypt your data, because they didn't set up their systems properly, so they are now overwhelmed with thousands of payment requests.

"Every time someone sends money to the bitcoin wallet to get their data decrypted, a payment claim is sent to the hackers' command and control (C&C) server," IBM Security's general manager Marc van Zadelhoff tells IBTimes UK in an exclusive interview.

"The malware works by automatically sending the key back, but because they didn't set up their claims handling process properly, they have basically DDoSed themselves.

"There is no indication that any customer that has paid the ransom has actually gotten their stuff back. Our general advice with ransomware is don't pay, but you have to make exceptions to that in some cases if the data is critical. With this particular situation, we're telling customers don't pay, as it won't work anyway."

DDoS stands for Distributed Denial of Service, a type of cyberattack whereby the attacker floods the target's servers with so much web traffic that it takes the target's network offline. Obviously, the hackers were not trying to deliberately cause themselves harm – if you look at the 2048 bit asymmetric encryption used, it is clear they had technical know-how, but they didn't think through their own IT processes properly.

"Usually these ransomware guys are really efficient. It seems that the WannaCry campaign was unusually successful, far exceeding their expectations of how many computers would be infected. They are getting so many requests coming back that they aren't able to store and sort them on the back end so that when they get the bitcoin they can match it back to specific users," explains van Zadelhoff.

More details about WannaCry are emerging

IBM Security has been working 24/7 since news of WannaCry ransomware attacking NHS hospitals across the UK broke on Friday 12 May, to make sure that its customers are safe; to mitigate any damage and restore backups to customer networks; and to try to figure out how the ransomware is evolving.

The firm has an expansive network of honeypot traps and DNS sinkholes all over the internet that lie in wait to quietly intercept traffic as it passes between infected computers and hackers' C&C servers.

The data collected is available for customers to search in real time on the X-Force Exchange dashboard, and it is also sent to cloud-based AI tool IBM Watson, which has been trained to understand millions of documents (research papers, blogs, CISSP certification exams) to help analyse cyberattacks.

Using these tools, IBM is discovering new interesting facts about the WannaCry attack by the hour. First, a large number of computers are currently being hit by WannaCry in Eastern Europe. IBM's guess is that many of these machines are using pirated software, which means they haven't been receiving all the critical patches, because any updates would have alerted Microsoft and others that their software is fake.

Secondly, IBM Security has analysed half a billion emails to try to find spam or phishing emails which had WannaCry as an attachment, but they haven't found any, meaning that it was not spread through this method.

And third, the malware is unusual in its design. van Zadelhoff explained: "Usually ransomware is for one specific target, but this one has a worm-like function to identity the system's missing windows patch, so if someone had a laptop with the worm on it and they were away from the office, when they come back to the network and attach their laptop, the worm comes back again.

"The malware's architecture is modular; it's a feature known to be used in legitimate software, but also in complex malware projects like banking trojans. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity."

For now, focus on back-ups instead

IBM Security has a four-step approach to cybersecurity: make sure your systems are all up-to-date with patches; use its network protection devices as an extra precaution to block all known vulnerabilities (IBM's researchers discovered WannaCry in March and blocked it then); monitor your networks constantly for intrusions; and train all parts of the business beforehand on how to respond if a crisis hits.

"This was a Darwinian patching experience. The customers that listened and patched survived, the ones that didn't called our emergency hotline," says van Zadelhoff. "If the customer's data has been encrypted, then we focus on damage control. Our team gets on site to find the backups, restore them and try to get them to work, but this can take weeks."

Although there is some effort being made in the cybersecurity industry to develop a decryptor for WannaCry, it's not a good idea to bank on a decryptor coming through to save your data because the level of encryption used by the hackers is strong. And we can't always rely on a kill switch being available, like the domain-registration technique discovered by 22-year-old British cybersecurity researcher Marcus Hutchins.

Van Zadelhoff says that he has been worrying about this rising trend in data breaches since 2011, which prompted IBM to focus on cybersecurity in 2012. IBM Security has been hiring 1,000 people a year for the last two years. He is most concerned about cyberattacks having a real-world impact that hurts people.

"WannaCry has raised awareness. This hack confirms beyond a doubt is that people are willing to kill to make money. When you go after hospitals like this group of hackers did, there's a high chance people will miss appointments, miss surgery, potentially die. It's public confirmation that these hackers are interested in money at all costs," he warns.

"It was an innovative attack method. We got lucky that it didn't spread more widely. Be prepared for wave two. Very simple – get these four things done before they make another variant with no kill switch."