15

WannaCrypt is a shot heard 'round the world, for sure.

I have seen news articles saying that people have paid more than $20,000 in ransoms. Here's one from Krebs: Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far

But my question is: Has anybody successfully decrypted their files after paying?

Anders
  • 64,406
  • 24
  • 178
  • 215
SDsolar
  • 977
  • 1
  • 6
  • 25
  • 4
    That will be PR damage, I doubt anyone will tell you the story whether success or fail. – mootmoot May 17 '17 at 15:48
  • @mootmoot, I can see your point - they are telling people not to pay. And I guess all the news is controlled these days. +1 – SDsolar May 17 '17 at 16:01
  • Related: https://security.stackexchange.com/questions/159740/wannacrypt-smb-exploit-known-since-stuxnet-circa-2008-but-microsoft-hid-the-fi?noredirect=1&lq=1 and https://security.stackexchange.com/questions/159575/how-are-emails-used-to-spread-wannacry?noredirect=1&lq=1 – SDsolar May 17 '17 at 16:10
  • One side note that hasn't been mentioned is that once you pay that randsome hey guess what anyone else who's looking for potential victims is going to turn to you again as a source of revenue. – Jingo May 17 '17 at 19:56
  • Yes certainly one of my friend had successfully got rid of the WannaCry and other types of ransomware. Even I was attacked by one and he helped to get my data back into normal form. – Jaffer Wilson Jun 15 '17 at 08:21

4 Answers4

17

Yes, some have apparently gotten their files decrypted after paying the ransom.

We have confirmation that some of the 200+ #WannaCry victims who have paid the ransom have gotten their files back. Still, not recommended.

(tweeted by Mikko Hypponen, CRO at F-Secure, on May 15, 2017)

But there is absolutely no guarantee to get yours decrypted after paying and chances seem to be pretty low, especially since it's not an automated process but requires interaction with a human operator. Security researchers strongly recommend against paying the ransom.

Matthew
  • 27,233
  • 7
  • 87
  • 101
Arminius
  • 43,922
  • 13
  • 140
  • 136
  • How can this happen since the criminals only used 3 Bitcoin wallets due to a blunder ? They have no way of knowing who sent the coins (unless 2 unique companies got the first 2 wallet references and the rest of the world got the third one, in which case only up to 2 companies could have gotten the decryption). – niilzon May 18 '17 at 09:13
  • @niilzon It seems to be a tedious manual process and you're right that some people will inevitably not get their files back. – Arminius May 18 '17 at 09:33
2

To be frank, the ransom payment is a typical prisoner dilemma. If nobody get the file decrypted (some company will have some security assessment and info sharing policy with authority), it will destroyed ransomware attacker reputation thus destroyed the future "prospect". However, there is chances that ransomwware attacker make blunders.

The issue lies on the encryption key. To maximise the ransom profit, generate a new crypto key every PC is the way to go. However, it will also introduce risk of the crypto key missing in the transition to the bad guys C&C (command and control) server.

So having pre-generate crypto key will guarantee a decryption, but it also means those who pay may "reuse" the decrypt key in many PC.

(update): As suggested by @Josef, the attacker may use an asymmetric key to encrypt am adhoc unique key. I.e. Ransomeware code use a public key to encrypt the adhoc crypto key. This mean either the malware need to send this first level encrypt data back to C&C server. But there is one catch for this mechanism : If the authority block the IP of the C&C, it will "hurts" the syndicate "sales performance"(sarcasm).

mootmoot
  • 2,387
  • 10
  • 16
  • 2
    Well actually you can just generate a new key for every PC and then locally encrypt that with asymmetric cryptography. No need to collect all the keys and still a different key for every pc... – Josef May 18 '17 at 09:02
  • @Josef : what you say is just add another layer of obfuscation. The common starting ground just move to your cypto key that encrypt the newly generate crypt key. Reverse engineering can just take this common crypto key and descript the locally generated crypt key. – mootmoot May 18 '17 at 09:49
  • 2
    That's not how Public-key cryptography works! – Josef May 18 '17 at 09:51
  • @Josef :Let me see. If the ad-hoc crypt key is encrypted with a public key, then the only way to get a descrypt key is sending this encrypted crypto to the attacker. I will update my "answer". – mootmoot May 18 '17 at 11:33
  • The point is you later give them the encrypted key with the payment info and get the decrypted key. No need to send that key at all for people who didn't pay... – Josef May 24 '17 at 10:09
2

Yes, some victims have received the decryption key after paying the ransom. However, due to the scale of the infection and the way the ransomware is coded, it is likely the criminals won't be able to honor decryption requests:

Those meager profits may partly stem from WannaCry barely fulfilling its basic ransom functions, says Matthew Hickey, a researcher at London-based security firm Hacker House. Over the weekend, Hickey dug into WannaCry’s code and found that the malware doesn’t automatically verify that a particular victim has paid the demanded $300 bitcoin ransom by assigning them a unique bitcoin address. Instead, it provides only one of four hardcoded bitcoin addresses, meaning incoming payments don’t have identifying details that could help automate the decryption process. Instead, the criminals themselves have had to figure out which computer to decrypt as ransoms come in, an untenable arrangement given the hundreds of thousands of infected devices. “It really is a manual process at the other end, and someone has to acknowledge and send the key,” says Hickey.

Hickey warns that the setup will inevitably lead to the criminals failing to decrypt computers even after payment. He says he’s already been monitoring one victim who paid more than 12 hours ago and has yet to receive a decryption key. “They’re not really prepared to deal with an outbreak of this scale,” Hickey says.

(Source here. Emphasis mine.)

Note that if your infected machine runs Windows XP, you may be able to recover your files for free. There is a way to fetch the decryption key from RAM, so provided you haven't switched off the machine after the infection, you may be able to get your data back without paying any ransom.
EDIT: good news, this method works also for all Windows version from XP to 7.

Community
  • 1
dr_
  • 5,060
  • 4
  • 19
  • 30
  • When I read Brian Krebs' book Spam Nation, he said something similar - that the success of spammers was based on their customer service.. – SDsolar May 21 '17 at 00:37
0

Any successfull decryption is not known and also Not the way how the ransom payment is linked to the infected PC. But look at the number of payed ransoms: about 269 known cases (trough watching of the bitcoin wallets; see https://twitter.com/actual_ransom) against the known infections (220.000).

user689443
  • 88
  • 4
  • I see your point. I would think it is a story to tell: Whether or not the payments are doing anything useful, or just a waste. We did hear about the hospital and the sheriff's dept that paid and got decrypted. – SDsolar May 17 '17 at 16:03
  • The number of known infections don't equal to the number of systems encrypted. The infection is counted on the kill-switch, and the kill-switch prevents the ransomware from encrypting the files. – user2716262 May 17 '17 at 19:14