[Cryptography] "WannaCry" ransomware has any payment resulted in a key?

Thu May 18 00:41:20 EDT 2017

Tom,
A couple of things. 
First, there is a a really good Twitter account called @actual_ransom
that is tracking the three known Bitcoin wallets used by the attacker.
According to them, as of tonight, 275 people have paid the ransom for
a total of $80,000 -- that is actually a low percentage compared to
more sophisticated ransomware campaigns.
Remember, crypto ransomware, which is what we are talking about here,
does not lock the computer, just the files. The victim can still use
the browser, download software, even create new unencrypted files. So,
it is trivial for for the attacker to verify who the victim is. There
are a couple of ways this is done, depending on the ransomware family:
1. A unique key-pair is used for each victim. The attacker either
checks into a CnC server and downloads the key pair upon successful
infection or build the ability to generate key pairs into the
ransomware itself, so no CnC is needed.
2. Some ransomware authors have been known to include a unique Bitcoin
address for each victim, they can easily determine the victim based on
the Bitcoin address entered.  
The guys behind WannaCry did neither of these things, which is why
there is almost no chance victims will get their files decrypted.
allan

On 5/17/2017 at 11:12 PM, "Tom Mitchell"  wrote:I have been watching
the news on the "WannaCry" ransomware
and I wonder if any payment resulted in a valid key?

It seems that the bitcoin payment step is secure but the delivery of
the key
via return message is the fragile transaction from the criminals view
of things.
A short list of rich payments might be worth the risk to keep the scam
alive but the list must be short.

The interesting tech here if and only if this was a "responsible scam"
would be  key management.
Identifying the correct key for the correct 'locked' machine has a
couple issues.  One is the machine is locked so any reliable ID of the
specific machine seems difficult to parse and since the machine is
locked a different machine must be used to make payment, communicate
the machine ID, receive the key and apply it to the locked machine.

Yes "responsible scam"  sounds oxymoronic at best a cruel kindness.

Well time to go update my machines, scan for viruses and make backups!
Also make myself a 'different' account with admin privileges and  may
myself a
goober account for interacting with the world.  Boot and recovery
media too.
What a pain...
-- 
  T o m    M i t c h e l l
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170518/f300106f/attachment.html>