Last Friday’s massive WannaCry ransomware attack means victims around the world are facing a tough question: Should they pay the ransom?
Those who do shouldn’t expect a quick response—or any response at all. Even after payment, the ransomware doesn’t automatically release your computer and decrypt your files, according to security researchers.
Instead, victims have to wait and hope WannaCry’s developers will remotely free the hostage computer over the internet. It’s a process that’s entirely manual and contains a serious flaw: The hackers have no way to prove who paid off the ransom.
“The odds of getting back their files decrypted is very small,” said Vikram Thakur, technical director at security firm Symantec. “It’s better for [the victims] to save their money and rebuild the affected computers.”
The WannaCry ransomware, also known as WanaDecryptor, broke out last Friday, infecting vulnerable Windows systems like a computer worm. More than 300,000 machines in 150 countries have been hit so far, U.S. homeland security advisor Tom Bossert said in a press briefing on Monday.
The infection strikes by encrypting all the files on the PC and then displaying a ransom note demanding US$300 or $600 in bitcoin. Victims who don’t pay will have their files erased after seven days.
Owners of these machines may be tempted to pay the ransom, but don’t count on getting your files back, said Matthew Hickey, director of security provider Hacker House.
The culprits can only restore users’ systems by manually sending the decryption key to each affected computer, which will amount to a time-consuming process, he said.
“You’re really at the mercy of the human operator. Someone at the other end of the connection,” Hickey said.
The other problem is that WannaCry has no mechanism to determine who paid what and which computer should be released.
Victims are merely told to send payment to one of three bitcoin wallets and then wait for a decryption key, said Maya Horowitz, threat intelligence group manager at security firm Check Point.
But unlike most ransomware, WannaCry has no process to uniquely identify which ransom payment is tied to which computer, Horowitz said. Instead, users are left with a button on the displayed ransom note that says “check payment.”
“It’ll pop up an error message that says, ‘We didn’t get your payment. The best time to try again is Monday to Friday 9 am to 11 am,’” Horowitz said.
Both Hickey and Horowitz said they haven’t heard of any cases where victims successfully freed their computers by paying the ransom.
However, Mikko Hypponen, chief research officer at security vendor F-Secure, tweeted on Monday that some victims who paid did get their files back. So far, F-Secure hasn’t provided more details.
The hackers behind WannaCry have already managed to rake in more than $56,000, according to records of the three bitcoin wallets provided for payment. But the inefficiency of the payment model makes Hickey wonder whether the hackers were really after money.
“If it was done for money, it wasn’t the smartest way to get it,” he said.
For example, the hackers could have lowered the ransom price to $10, making it cheap for anyone to pay. For a malicious program that’s infected more than 300,000 machines, even a low ransom could have resulted a huge payoff.
Instead, the hackers asked for large sum, then used a shoddy payment process that made victims wonder whether they would get what they paid for.
“It removes the incentive to send any money to the attacker,” Hickey said.
It’s still unclear who created WannaCry, whether amateurs or skilled hackers. The fact that there was a “kill switch” in the ransomware, which a researcher was able to activate on Friday, stopping the attack at least temporarily, suggests the coders were sloppy.
But WannaCry does at least one thing well: Flawlessly encrypts all the files on an affected machine. Security sleuths are still studying the ransomware for ways to salvage already infected computers.
“The implementation of the encryption was pretty rock solid,” said Symantec’s Thakur. “There wasn’t any gap to jump in and get the files decrypted.”
Security experts also warn WannaCry might strike again through new, updated variants.
To prevent infection, users should install the latest patches to vulnerable Windows systems, such as Windows 8, and run antivirus products, like Windows Defender, which can detect and stop the ransomware.