Why did WannaCry authors implement a killswitch?

6 points by giomasce ↗ HN
In many WannaCry variants there is a killswitch that pings a domain and only spread if the domain does not reply. So, once you discover this right domain, you can heavily slow down that variant of WannaCry by registering that domain and putting a webserver on it.

Why did the authors implement this? This effectively bounds the amount of money they receive from the attack. Clearly civic duty is not their priority, unless they are maybe trying to reach a balance between their reward and the amount of damage. But this is hard to support: ransomware infections always cause much more damage than the authors earn (according to available public estimates, WannaCry's authors made less than 100 k$, which seems really small to me).

Also, why did they implement such a poor killswitch scheme? Everybody can register a domain, and the domain itself appears to be relatively simple to find in the code. They could have implemented an asymmetric encryption scheme, which only they would have been able to use.

Of course there is no way to know the actual reasons, but I still wonder: does anybody have some insight on why as a ramsomware author you would do things this way?

5 comments

[ 5.9 ms ] story [ 22.6 ms ] thread
From what I've read, it's not uncommon for these types of malware to implement similar schemes. They send the HTTP requests to one of N domains over some period of time in order to detect whether or not the malware is being run inside of a sandbox. If the IP of every response matches, they cease to operate. Their intention, it seems, is to avoid in-depth analysis by researchers, hoping to prolong the malware's lifespan. However, in this particular case, such a check had the opposite effect.
Is there a safe way a sandbox could mock these HTTP requests to trip up the sandbox detection?
It is very implausible. A sandbox detection algorithm has a lot of different options on what to observe to decide whether it is running in a "genuine" environment or in an "artificial" one. You probably have to see what every single sandbox detector is doing and cook up something specific for that.
As to why they implemented the killswitch, a simple guess will be a slip up or poor personal security leading to your lair being raided by some unforgiving 3 letter agency that doesn't mind meting out a few harsh knocks until you cease the spread.

However I agree with you on the poor implementation of the killswitch. The first thing that came to mind was, why not use an .onion instead? It might mean bundling the malware with TOR but I've seen enough of these use cases to know it's not a challenging thing to implement. Better to have the entire computing might of the world struggle to crack your private key instead of some lucky researcher registering your domain and halting your spread.