WannaCry: Who’s behind it? Who’s to blame?

As the amount of money in the three bitcoin addresses associated with the WannaCry attack slowly continues to rise, the question of who is behind the ransomware is still without answer.

wannacry blame

Follow the money?

The money – currently some 40 bitcoin, i.e. around $67,000 – remains where it has been delivered by the victims. Will the criminals ever try to retrieve it, and risk being unmasked? That depends on who they are, and how much money are they willing to leave on the table.

The attack has, by accident or on purpose, attracted the attention of the public, security researchers, law enforcement and intelligence agencies. The risk tied to the withdrawal of the money has escalated with each passing day.

But could it be that the money was never the primary goal?

A connection to state-sponsored hackers

Keen-eyed Google researcher Neel Mehta noticed a similarity of some of WannaCry’s code to that used in a piece of malware associated with Lazarus, a hacking group that has been targeting institutions and businesses in the US and South Korea.

It is believed that the group is behind the 2014 Sony Entertainment attack and the 2016 compromise of Bangladesh’s central bank, and is of North Korean origin.

Other researchers have confirmed that particular finding, but it is not nearly enough to conclusively tie the WannaCry attack to the group. In fact, it could be just a clue left intentionally to throw investigators off the right track.

Another clue that points more in the direction of state-sponsored hackers instead of plain cyber criminals is the fact that the malware sported a so-called kill-switch – a way to stop the infection. But, of course, that could also be a simple error by the authors or, as security researcher Marcus Hutchins (aka MalwareTech) has pointed out, an anti-sandbox check.

As reports began trickling in about victims paying the ransom and not receiving a decryption key, another theory was floated online, half in earnest, half in jest: the WannaCry attack was an attempt, by persons unknown, to kill-off the burgeoning ransomware business model.

The theory goes like this: Make the attack so big that everybody and their mother hears about it, make it known that the criminals are not giving up decryption keys even if they get paid, and see doubt work its magic on other ransomware operations (i.e. more victims decide not to pay the ransom).

By the way, there is currently no available decryption tool for WannaCry victims. This fact that has been exploited by scammers, who were spotted offering fake decryptor tools to the victims.

Blame gets passed around

The only thing that we know for sure is that the attack has made seemingly everybody search for someone else to blame.

Microsoft has blamed users for not implementing updates, but also the NSA and governments in general for stockpiling software vulnerabilities instead of reporting them so that they can get fixed.

Others have also joined in the pile-up.

“Friday’s attack is a clear demonstration of the damage that just a SINGLE exploit can do. If we have learned anything from the NSA hack, and the more recent CIA Vault7 leaks, it’s that potentially hundreds of additional exploits exist, many targeting other platforms, not just Microsoft Windows. Furthermore, many of these are probably already out ‘in the wild’ and available to cybercriminals,” Andy Yen, co-founder of ProtonMail, pointed out.

“At this point, the NSA and CIA have a moral obligation to responsibly disclose all additional vulnerabilities. We would say that this goes beyond just a moral obligation. When your own cyber weapons are used against your own country, there is a duty to protect and defend, and responsible disclosure is now the only way forward.”

This statement is especially appropriate now, as the Shadow Brokers piped up again on Tuesday, to announce their intention of leaking more exploits.

Others have put some of the blame on Microsoft, as the company had the patches for the vulnerability in unsupported versions of Windows for months now, but provided them only to those who were willing to pay for custom support.