On early Saturday morning, May 13, 2017, news broke that an NSA-derived ransomware worm — known as WannaCry or WCry — had been shutting down computers worldwide. At the time of the report, at least 75,000 computers had been affected by WCry, with Russia taking the brunt of the attacks. The worm was eventually stopped when a security researcher who goes by the Twitter handle “MalwareTech” registered a domain name that acted as a kill switch for the worm. But until then, WCry managed to register over 213,000 infections in 112 countries — causing widespread chaos across many “mission-critical organisations”. At least 16 hospitals in the UK even had to redirect emergency patients to other facilities due to the attacks.
WCry is notable for two things: (a) it utilises an NSA-developed, weapons-grade exploit called EternalBlue that was recently leaked by a group calling themselves the Shadow Brokers; and (b) it demands that the ransom is paid in bitcoins. It is the latter that we will be focusing on here, as WCry’s use of bitcoin as its desired method of ransom payment — along with the amount of media attention it attracted — has once again stirred up heated debates regarding bitcoin’s role in unlawful activities.
The origins of ransomware
Ransomware is essentially malicious software that disables access to data on a victim’s computer until a ransom is paid. While ransomware may seem like a relatively recent development, it actually has been around for almost three decades. In fact, the earliest known record of ransomware dates back to 1989 — twenty years before the birth of Bitcoin — when a ransomware called PC Cyborg Trojan was introduced via 5.25-inch floppy disks that were distributed through a mailing list. PC Cyborg Trojan worked by replacing the autoexec.bat file on the victim’s computer and then hiding all directories and encrypting all files on the victim’s C drive once the trojan detected that the victim’s computer had been started 90 times. It demanded a ransom of $189 in return for the restoration of the victim’s data.
While PC Cyborg Trojan seems primitive by today’s standards, it nevertheless kickstarted the development of increasingly sophisticated ransomware that recently reached its climax with the release of WCry. And this development did not stop at the ransomware’s underlying cryptography; where payment used to be demanded in the form of wire transfers or prepaid cards, recent strains of ransomware have almost exclusively demanded payment in the form of bitcoins.
Bitcoin’s relationship to ransom software
It should come as no surprise that recent strains of ransomware have almost unanimously turned to bitcoin as their preferred method of payment. After all, Bitcoin offers malicious actors a fast, reliable, and verifiable mode of extortion. Bitcoin’s open design allows hackers to simply keep an eye on the public Bitcoin blockchain to track whether a victim has made payment. The process of unlocking a victim’s files can even be automated by linking a particular victim’s computer to a unique bitcoin address.
Unfortunately, however, lawmakers, in general, remain ignorant of the fact that Bitcoin is merely another useful tool in malicious actors’ arsenals. And just like any other tool, it can be used in both beneficial and harmful ways. And so instead of tackling the root of the problem — weak security practices and the stockpiling of zero-day exploits by governments — these lawmakers fall back to calls to ban Bitcoin. Little do they know that it would be trivial for malicious actors to simply switch to a different mode of ransom payment should Bitcoin be inaccessible to them.
Where do we go from here?
The first — and arguably the most important — step to defending ourselves from ransomware or any other kind of malicious software is to adhere to security best practices. Always keep all of your software — including your operating system, antivirus software, web browsers, and bitcoin wallet — up-to-date. Enable two-factor authentication wherever and whenever possible. Use strong, unique passwords, and never reuse them. Never install unknown programs, never click on suspicious links, and never open suspicious emails. Always keep recent backups of everything. And if you own a substantial amount of bitcoins, consider keeping a majority of your bitcoins in cold storage.
The second — and equally important — step is to educate others. Just because bitcoin has been the tool of choice for many malicious actors does not mean that bitcoin is, in and of itself, malicious. Just like Dollars/Euros/Pounds can be used for both lawful and unlawful transactions, bitcoin can also be used for lawful and unlawful transactions. Bitcoin is merely a medium of exchange.
Lastly, if your system has been infected by WCry or any other type of ransomware, do not pay the ransom. There is no guarantee that you will get your data back even if you do pay. Instead, you should immediately report your incident to local cyber crime authorities.
You should then refrain from restarting or shutting down your computer and await further research. This is because in some limited cases, there could be weaknesses in the ransomware that may allow victims to recover their data without having to pay the ransom. A handy resource to keep an eye on for up-to-date security news and analyses would be Brian Krebs’ blog at krebsonsecurity.com.