WannaCry Ransomware - Your Worst Nightmare

Since its discovery on Friday afternoon, the WannaCry ransomware attack has continued to spread, impacting over 10,000 organizations and 200,000 individuals in over 150 countries, according to European authorities. However, while measures have been taken to slow the spread of the malware, new variations have begun to surface.

WannaCry is far and away the most severe malware attack so far in 2017, and the spread of this troubling ransomware is far from over.

What is WannaCry?

First and foremost, let's clarify exactly what WannaCry is. This malware is a scary type of trojan virus called "ransomware." As the name suggests, the virus in effect holds the infected computer hostage and demands that the victim pay a ransom in order to regain access to the files on his or her computer.

RansomWare like WannaCry works by encrypting most or even all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. In the case of WannaCry specifically, the software demands that the victim pays a ransom of $300 in bitcoins at the time of infection. If the user doesn't pay the ransom in three days, the amount doubles to $600. After seven days without payment, WannaCry will delete all of the encrypted files and all data will be lost.

WannaCry paralyzed computers running mostly older versions of Microsoft Windows. The Russian security firm Kaspersky Lab said Monday that portions of the WannaCry program use the same code as malware previously distributed by the Lazarus Group, a hacker collective behind the 2014 Sony hack blamed on North Korea. But it's possible the code was simply copied from the Lazarus malware without any other direct connection. Kaspersky said "further research can be crucial to connecting the dots."

Another security company, Symantec, has also found similarities between WannaCry and Lazarus tools, and said it's "continuing to investigate for stronger connections."

Researchers might find some additional clues in the bitcoin accounts accepting the ransom payments. There have been three accounts identified so far, and there's no indication yet that the criminals have touched the funds. But what good is money just sitting there as digital bits?

Although bitcoin is anonymized, researchers can watch it flow from user to user. So investigators can follow the transactions until an anonymous account matches with a real person, said Steve Grobman, chief technology officer with the California security company McAfee. But that technique is no sure bet. There are ways to convert bitcoins into cash on the sly through third parties. And even finding a real person might be no help if they're in a jurisdiction that won't co-operate.

Another possible slip-up: Nicholas Weaver, who teaches networking and security at the University of California, Berkeley, said good ransomware usually generates a unique bitcoin address for each payment to make tracing difficult. That didn't seem to happen here.

James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said U.S. investigators are collecting forensic information - such as internet addresses, samples of malware or information the culprits might have inadvertently left on computers - that could be matched with the handiwork of known hackers.

Investigators might also be able to extract some information about the attacker from a previously hidden internet address connected to WannaCry's "kill switch." That switch was essentially a beacon sending the message "hey, I'm infected" to the hidden address, Weaver said.

That means the very first attempts to reach that address, which might have been recorded by spy agencies such as the NSA or Russian intelligence, could lead to "patient zero" - the first computer infected with WannaCry. That, in turn, might further narrow the focus on possible suspects.

Forensics, though, will only get investigators so far. One challenge will be sharing intelligence in real time to move as quickly as the criminals - a tricky feat when some of the major nations involved, such as the U.S. and Russia, distrust each other.

Even if the perpetrators can be identified, bringing them to justice could be another matter. They might be hiding out in countries that wouldn't be willing to extradite suspects for prosecution, said Robert Cattanach, a former U.S. Justice Department attorney and an expert on cybersecurity.