WannaCryptor: Are governments and financial regulators to blame?

On Friday 12th May the world paused and drew breath as cybercriminals launched WannaCryptor (popularly known as WannaCry), a ransomware attack that dominated news and conversations around the globe. Companies shut down technology that they rely on to trade, to treat patients and to communicate with customers. The results for many of the affected companies and their customers were devastating.

Security experts everywhere were called into action to combat the ransomware that was unleashed as companies and organizations attempted to return to normal trading and practice. The vulnerability used as an entry point to infect machines was in Microsoft’s Windows. The National Security Agency apparently knew about it, then someone leaked the details and the cybercriminal took advantage of the situation.

“AS WITH ALL NEW INNOVATIVE TECHNOLOGY, IT TAKES TIME FOR REGULATORS AND GOVERNMENTS TO CATCH UP.”

We may never know what motivated the cybercriminal to unleash WannaCryptor but we do know that there was financial gain. The ransomware encrypted files, with an offer to decrypt them of $300, payable by bitcoin.

I am sure many of you, like me, have watched crime dramas where the law enforcement dudes say ‘follow the money’ as the method to find the real criminal behind a crime. Can you follow the money flow for WannaCryptor? Apparently not.

If you’ve attempted to open a bank account or applied for a credit card then you know the financial services industry has strict regulations requiring the identification of the person opening the account. The regulations extend to businesses and staff opening accounts or applying for a credit card terminal; the people responsible go through a process of being identified so they can be held responsible. The regulations are there to combat fraud and money laundering — in other words, to stop crime in the financial system.

Why does the criminal behind WannaCryptor only accept payment with bitcoin?

Bitcoin’s message on their website states that “bitcoin is open-source; its design is public, nobody owns or controls bitcoin and everyone can take part” and goes on to state: “Bitcoin allows exciting uses that could not be covered by any previous payment system.”

The concept of a virtual currency is potentially a good one: exchange rate free and accepted globally — there would seem to be benefits for businesses and consumers. How do I join the bitcoin community and reap the benefits of this virtual currency? To start with, I need a wallet to hold my virtual cash.

There are several wallet vendors, just like the physical world. With some offering additional privacy by rotating addresses and others offering services that remove the need to validate payments.

Once I’ve selected my wallet I can generate an address, a virtual location to receive funds; the recommendation is a different address for every transaction to enhance my privacy. The messages of rotating addresses and using a new address for every transaction start to give me the confidence that I am going to be able to remain hidden, private and anonymous.

Ok, my wallet is full, how do I get the money?

My wallet, which is an account, is bursting at the seams and I want to withdraw my funds. There are two methods: register with an exchange, or in person. Registering with an exchange will require positive identification, uploading utility bills and stuff that we are used to doing at normal banks. Alternatively, you can trade directly with another person, meet them, exchange a QR code for cash and walk away.

The ‘in person’ method of cashing out means another unidentified person now holds the virtual money in his wallet and I remain completely anonymous. Needing to move the funds on may not be essential though — holding on to them as an investment or anonymously trading for services could be alternatives.

Bitcoin is often regarded as an anonymous currency because it is possible to send and receive bitcoins without giving any personal identifying information. True anonymity may be impossible, as the cashing out process could require a physical meeting, but it is probably reasonable to say it’s pseudonymous.

Financial institutions around the world have sophisticated systems to detect money laundering, such as large sums moving from account to account. If you have ever sold a property and had the funds deposited in an account, you may have had to go through the experience of explaining where the funds came from.

In the virtual currency world there seem to be no – or very limited – requirements to track the flow of money, making it an ideal solution for criminals, fraudsters and terrorists to use for storing and moving their funds. A secret currency.

“AS WITH ALL NEW INNOVATIVE TECHNOLOGY, IT TAKES TIME FOR REGULATORS AND GOVERNMENTS TO CATCH UP.”

As with all new innovative technology, it takes time for regulators and governments to catch up. Now would seem an opportune moment, though, for the same requirements imposed on financial organizations to be migrated to the new world of virtual currency, making “follow the money” a reality again. Taking action now by cutting off the ability to have an anonymously traded currency could stop the next major cyberattack.

For more on the WannaCryptor, aka WannaCry, ransomware attack, check out our other blog posts!

by Tony Anscombe, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s