Why did WannaCry authors implement a killswitch?
Why did the authors implement this? This effectively bounds the amount of money they receive from the attack. Clearly civic duty is not their priority, unless they are maybe trying to reach a balance between their reward and the amount of damage. But this is hard to support: ransomware infections always cause much more damage than the authors earn (according to available public estimates, WannaCry's authors made less than 100 k$, which seems really small to me).
Also, why did they implement such a poor killswitch scheme? Everybody can register a domain, and the domain itself appears to be relatively simple to find in the code. They could have implemented an asymmetric encryption scheme, which only they would have been able to use.
Of course there is no way to know the actual reasons, but I still wonder: does anybody have some insight on why as a ramsomware author you would do things this way?
5 comments
[ 5.9 ms ] story [ 22.6 ms ] threadHowever I agree with you on the poor implementation of the killswitch. The first thing that came to mind was, why not use an .onion instead? It might mean bundling the malware with TOR but I've seen enough of these use cases to know it's not a challenging thing to implement. Better to have the entire computing might of the world struggle to crack your private key instead of some lucky researcher registering your domain and halting your spread.