24 Oct 2018

Remember Wannacry?

Wannacry is one of the most widespread malware in history. This ransomware locks up (or encrypts) all files in your computer and demands ransom payment in the form of bitcoin (an equivalent of $300). More than 200’000 computers in more than 150 countries were infected so far.

But even though the numbers are daunting, there was not much damage done and the attackers were only able to make about $100’000 in ransom.

So what exactly makes Wannacry so dangerous and widespread?

Well, Wannacry encrypts the files on your computer. Once your files are encrypted, you cannot open them until you decrypt them with a decryption key.

But the catch is that only the hacker holds this key. And he wants money for it. So until you pay, all your documents, images, spreadsheets, and other important files, that you probably don't have backed up, are inaccessible.



Wannacry screen after the computer files were locked.

This ransomware spread so quickly thanks to a security exploit known as EternalBlue, which is believed to be discovered by the NSA.

EternalBlue is an exploit in the older Microsoft Windows systems. Microsoft released a patch to fix this weakness but not all of the computers were updated. The ones that were not updated were left vulnerable.

A victim does not even have to open a phishing email in order to get infected. The spreading of the ransomware is all done automatically through a vulnerability in a protocol that helps Windows computers in the same local network to communicate with each other.

As sophisticated as Wannacry malware was, it also has some serious flaws.

The main flaw Wannacry has is a kill switch which was accidentally discovered by a British security expert Marcus Hutchins (also known as "MalwareTech"). He discovered that the malware periodically checks for a certain domain (URL). If that domain returns a "Success" response (e.g. if the domain is registered), the malware would stop working.



Marcus Hutchins

The domain URL is something jibberish: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Why would malware check for this specific URL?

Obviously, the malware creator wanted to have a kill switch in case the monster he created goes out of control. But unfortunately for the hacker, the above-mentioned expert Marcus Hutchins discovered the kill switch.

What did Marcus then do?

He registered the domain and helped slow down the spread of the worm.

When the domain wasn’t registered, it didn’t return "Success" to the malware, so the malware was working as normal. But as soon as the domain got registered, the malware received the "Success" response and stopped working - which means it decrypted all the files.

Unfortunately, this was just a temporary solution because later different Wannacry versions emerged which checked for a different domain URL - or even did not have that kill switch implemented at all.

So what are the valuable lessons we could learn from this attack?

Updates and patches for your software are there for a reason. You should always update and patch your operating system to the latest version in order to avoid vulnerabilities in your system. Always back-up your important files - as frequently as possible. So, even if your files get encrypted by a malware, you have a back-up stored somewhere safe.

What does any of this has to do with Monero?

A group of researchers tracked the activity of the three known bitcoin addresses associated with Wannacry and found out that the hackers exchanged bitcoins for Monero.

Why did they use Monero?

Monero is a privacy-focused cryptocurrency, which means that it is practically impossible to track the movement of the coins.

Monero also makes it impossible to check the balance of a given address. Unlike Bitcoin, which is considered a pseudo-private cryptocurrency (all of the transactions and balances are publicly visible), Monero uses something called "ring signatures" to make transactions private.

Don’t you have to register on exchanges and verify your personal information?

When you first start trading on exchanges you usually have to register and provide your personal information due to the KYC and AML compliances.

But there are some services that do not require registration. In the case of the Wannacry ransomware, the hackers used a service called ShapeShift which does not require any registration.

ShapeShift has acknowledged that the hackers used their service as a method for exchanging Bitcoin for Monero and are fully cooperative with law authorities in regard to this case. But it's probably too late to catch the hackers now.

Is Monero used primarily for illegal activities?

Monero is considered one of the best and most widely used privacy coins. The use of Monero has also sparked a "privacy in cryptocurrencies" debate. Because of its privacy features, Monero is widely used by anyone seeking financial privacy. But that does not mean that all of Monero transactions are used for illegal purposes.

Cypherpunks (a group largely responsible for inventing and making cryptocurrencies popular) say it best:

"Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world." - Cypherpunk's Manifesto (1993)

The Monero card

One of the value cards in the Crypto Cards game represents Monero:

By now it’s probably clear why the coin holds a finger over its mouth. ;)