When it comes to online currency, lulz just might outvalue Bitcoin.
A unknown group of hackers is working behind the scenes to restart the ransomware WannaCry, and one security expert believes the culprits this time around aren’t who you think.
And neither is their motivation.
Contrary to what you might expect, it appears not to be the initial group responsible for WannaCry now working to startle the ransomware monster awake from its slumber. Rather, we may have some internet randos to thank.
Why? The leading theory, proposed by security researcher Marcus Hutchins, suggests it’s all about shits and giggles.
WannaCry rushed onto the international scene on May 12, infecting and encrypting hundreds of thousands of computer systems running unpatched Windows operating systems. The ransomware demanded that victims pay around $300 in the cryptocurrency Bitcoin to their attackers if they ever wanted to see their files again.
“Yeah, it’s most likely scriptkiddies doing it for lulz.”
Some paid up, but computers stayed encrypted.
And while the damage was bad — England’s National Health Service was hit particularly hard — it could have been a lot worse. The ransomware — which utilized a stolen NSA exploit called EternalBlue — stopped spreading when Hutchins registered a mysterious domain he discovered in the malware code and sinkholed it.
Hutchins explained the process on his blog, noting that “a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them.”
The ransomware, it seems, was designed to contact Hutchins’ domain before it spread to the next victim. Hutchins’ registration of that domain created a kind of kill switch — effectively telling WannaCry to stop spreading.
As long as that domain, and one other discovered and sinkholed by a different researcher, remain up and active the ransomware won’t spread. Which brings us back to our lulz-pirates.
Hutchins has observed an intentional distributed denial of service attack aimed at his domain with the apparent goal of knocking it offline. Wired reports that the traffic appears to be coming courtesy of the Mirai botnet — the same botnet, comprised of IoT devices like wireless security cameras, that brought down parts of the internet in the fall of 2016.
Today’s Sinkhole DDoS Attack pic.twitter.com/wxT2YUrdOF
— MalwareTech (@MalwareTechBlog) May 18, 2017
Why would anyone do this? Could the initial WannaCry developers simply want more computers infected with the hope of making more money? Probably not.
As Hutchins confirmed via Twitter direct message, the initial attackers can’t appear to even keep up with the volume of decryption requests they’ve already received.
“[The] decryption system is stupid and completely unscalable,” he observed.
In other words, infecting more computers won’t exactly translate to more Bitcoin in their wallets. That leaves another possibility: someone just looking to mess with people.
“Yeah, it’s most likely scriptkiddies doing it for lulz,” Hutchins further speculated — using a term that refers to relatively low-skilled hackers.
So there you have it. If someone manages to knock Hutchins’ sinkhole offline, allowing WannaCry to spread further in the process, you’ll likely have some random prankster with a messed up sense of humor to thank.
But don’t stress about it too much. “The DDoS is unlikely to be successful,” reassures Hutchins.
Phew. Now if only Hutchins could solve our other internet security problems.