As the global infosec community continues to fight back against the threat of new attacks, the cybercriminals behind the WannaCry ransomware attacks are still at it, attempting to reap as much profits as possible. Security experts have detected new ransom demands made by the WannaCry hackers. Some experts working to mitigate the attacks and come up with a decryption key for infected users have reportedly been targeted by DDoS attacks, leveraging the proliferate Mirai botnet.
The attacks are an attempt to go after the kill switch, activated by 22-year-old British security researcher working for Kryptos Logic, Marcus Hutchins aka MalwareTech, who became the "accidental hero" by stopping the first wave of global ransomware attacks that hit numerous companies and networks across 150 countries.
Mirai-powered DDoS attacks against the WannaCry kill switch
Once news broke out about MalwareTech stopping the attacks, the sinkhole – the kill switch website used to direct malware to a specific web address to contain it – almost immediately came under attack from the WannaCry hackers.
"Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole," MalwareTech told Wired. He added that the DDoS attacks may not have been the work of the original WannaCry authors. Instead, he believes that this may be the work of other hacker groups that want to restart the WannaCry epidemic just for fun.
"They've obviously got no financial incentive. They're not the ransomware developers," the researcher said. "They're just doing it to cause pain." He added that the attacks appear to be coming from known Mirai-based botnets that appeared when the botnet's source code was first publicly released by its creator Anna_Senpai. Hutchins believes that the attacks are the work of low-level hackers using publicly available tools.
"Now any idiot and their dog can set up a Mirai botnet," Hutchins says.
However, Hutchins is confident that he and his colleagues at Kryptos Logic can keep the attackers at bay. The firm has also enlisted the help of an unspecified DDoS mitigation company to help defend against the hackers.
New ransom demands
Despite the spread of the attacks having been stopped, the WannaCry attackers are sending out new ransom demands to victims. According to a tweet post by Symantec, as of 18 May, victims were still receiving new messages from the WannaCry hackers.
A Twitter account cataloguing the activity of the three bitcoin wallets tied to the WannaCry attacks in real time shows that numerous people have paid ransoms and some continue to do so. As of now, over $94,000 has been raked in by the attackers, according to the Twitter bot.
However, so far, none of the money has been transferred out, indicating that the attackers controlling the bitcoin wallets may be playing it safe, in efforts to avoid attracting the attention of the numerous law enforcement agencies now actively hunting them.
There's still uncertainity surrounding the identity of the WannaCry authors. Although some security experts said the North Korea hacker group Lazarus, also believed to be behind the infamous Sony hack, may be linked the ransomware, a recent statement by Interpol indicates that attribution is yet to be nailed down conclusively.
Experts are tirelessly working on creating viable decryption tools that may help WannaCry victims get back access to their lost data. Find out more about how you can recover your lost data here.