evidence they said could link North Korea with WannaCry. Symantec and Kaspersky Lab say that some code in an earlier version of the ransomware had also appeared in programs used by another group that several companies have identified as a North Korea-run hacking operation.
for the EternalBlue vulnerability in March.
at telecom giant Bell Canada was not related to the WannaCry attack, the company said Monday after 1.9 million customer e-mail addresses were illegally accessed. “There is no indication that any financial, password or other sensitive personal information was accessed,” Bell said in a statement about the breach.
How this man stopped WannaCry, for now
The defeat of WannaCry is widely credited to a 22-year-old British computer expert, Marcus Hutchins, who works for Los Angeles-based Kryptos Logic. He’s the one who discovered a so-called kill switch that slowed the unprecedented outbreak on Friday.
In his first face-to-face interview, Mr. Hutchins told Associated Press Monday that he stumbled across the solution when he was analyzing a sample of the malicious code and noticed it was linked to an unregistered web address. He promptly registered the domain, something he regularly does to discover ways to track or stop cyber threats, and found that stopped the worm from spreading.
Salim Neino, CEO of Kryptos Logic, said Mr. Hutchins took over the kill switch on Friday afternoon European time, and that doing so protected the United States from the worst of the ransomware:
Marcus, with the program he runs at Kryptos Logic, not only saved the United States but also prevented further damage to the rest of the world. Within a few moments, we were able to validate that there was indeed a kill switch. It was a very exciting moment. This is something that Marcus validated himself.
Mr. Neino said the company was not able to identify “patient zero,” the first system infected, which would give researchers more information about who was behind the attack. Nevertheless, he said the worm was “poorly designed” – patched together and a “sum of different parts” with an unsophisticated payment system.
Mr. Hutchins has long tweeted under the handle MalwareTech, which features a profile photo of a pouty-faced cat wearing enormous sunglasses. But he realizes his newfound fame will mean an end to the anonymity. After all, now he’s a computer celebrity; he’s been in touch with the FBI, as well as British national cyber-security officials.
It is likely to be a big adjustment. Mr. Hutchins lives with his family in the seaside town of Ilfracombe, where he works out of his bedroom on a sophisticated computer setup with three enormous screens. He will soon become a local hero – but if you ask him, his life of celebrity will be short lived. “I felt like I should agree to one interview,” he said. But even that made the fame-averse Mr. Hutchins so nervous that he initially misspelled his last name, leaving out the letter “n” when doing a sound-level for the cameras.
His mother Janet, a nurse, couldn’t be prouder – and was happy to have the veil of anonymity lifted:
I wanted to scream, but I couldn’t.
Mr. Hutchins told Associated Press that he doesn’t consider himself a hero but fights malware because “it’s the right thing to do”:
I’m definitely not a hero. I’m just someone doing my bit to stop botnets.
What we still don’t know
While security experts figured out fairly quickly how to slow down WannaCry, several mysteries remain about who started it and why it spread the way it did.
Who was behind it?
Some researchers have found evidence they say could link North Korea with the attack. A senior researcher from South Korea’s Hauri Labs, Simon Choi, told Reuters on Tuesday that the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.
Mr. Choi, who has done extensive research into North Korea’s hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation. The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81-million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.
How did it spread?
Researchers are still unsure exactly how the malware spread in the first place, IBM Security’s Caleb Barlow told Reuters. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware. The problem in the WannaCry case is that despite digging through the company’s database of more than one billion e-mails dating back to March 1, Mr. Barlow’s team could find none linked to the attack.
The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online. But the puzzle is how the first person in each network was infected with the worm, Mr. Barlow said.
Some cybersecurity companies, however, say they’ve found a few samples of the phishing e-mails. FireEye told Reuters it was aware customers had used its reports to successfully identify some associated with the attack. But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.
Why didn’t the hackers make more money?
Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency. There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. IBM Security’s Mr. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim.
Jonathan Levin of Chainalysis, which monitors bitcoin payments, told Reuters there were other differences compared to most ransomware campaigns: for instance, the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages. And so far, Mr. Levin said, the bitcoin that had been paid into the attackers’ wallets remained there – compared to another campaign, known as Locky, which made $15-million while regularly emptying the bitcoin wallets.
What might happen next
Reports have already emerged of new variants of WannaCry, and security experts are remaining vigilant to prevent them from doing more harm. One was detected on Monday, cyber security firm Check Point Software Technologies Ltd. told Reuters, but said it had been stopped from damaging computers by activating a kill switch in the software.
The WannaCry scare has also renewed fears of future threats from the Shadow Brokers, the hacker group that took credit for leaking the NSA information used in the WannaCrypt attack. An apparent communiqué from the Shadow Brokers, posted in its trademark garbled English on a blog believed to be run by the group, threatened to release tools on a monthly basis to anyone willing to pay for access to some of the tech world’s biggest commercial secrets. The post also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details. “More details in June,” it promised.
With reports from Josh O’Kane and Shane Dingman
MORE FROM THE GLOBE AND MAIL