Security experts are analyzing the WannaCry worldwide ransomware attack — and some have detected amateur flaws, according to an NPR analysis.
Ransomware is often distributed using 'kits' sold on the dark web, meaning inexperienced cyberattackers may purchase sophisticated software developed by someone else, NPR reports. That's what some security experts, like police detective Nick Selby, believe happened in the WannaCry attack.
Here are three hints an amateur executed WannaCry.
1. The 'kill switch.' A 22-year-old U.K. security researcher — who goes by the online name "MalwareTech" — discovered a kill switch in the software's code, which he told the BBC was "partly accidental." The researcher noticed the ransomware contacted a single web address while infecting its targets and decided to register it for $10.69 — which stopped the software's spread.
Paul Burbage, malware researcher for Flashpoint-Intel, told NPR this simple fix raised questions: "The kill switch allowed people to prevent the infection chain fairly quickly," Mr. Burbage said. "It was kind of a noob mistake, if you ask me."
2. Payment processes. Mr. Burbage said the WannaCry ransomware used a manual payment system — rather than an automatic one — in which the attackers send each affected user an individual code to accept bitcoin payment.
"It leads me to think they did not think it would spread as far as it is," Mr. Burbage told NPR. "You know I really think these guys are running scared, and they're probably lying low at this point."
3. Geographic scope. Cyberattackers that extort bitcoin typically have a 'safe-zone,' Jonathan Levin, co-founder of bitcoin-analysis company Chainalysis, told NPR. These safe-zones are regions where the cyberattackers don't release their malware, in the hopes financial authorities "turn a blind eye" when they convert bitcoin into standard currency, according to NPR.
However, WannaCry showed no sign of geographic preference, infecting more than 200,000 computers in more than 150 countries.