Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations
NPR Live Updates: Trump rally shooting

From Kill Switch To Bitcoin, 'WannaCry' Showing Signs Of Amateur Flaws

A screenshot of the warning screen from a purported ransomware attack on a laptop in Beijing.
Mark Schiefelbein
A screenshot of the warning screen from a purported ransomware attack on a laptop in Beijing.

Cops have a decent shot at catching run-of-the-mill online scammers — say, the guy selling a car that's just too good to be true on Craigslist. But catching ransomware attackers is generally much more difficult — unless they slip up.

The criminals behind the "WannaCry" ransomware attack may have done just that. Experts are now seeing some amateur flaws emerging including an easy-to-find kill switch and the unsophisticated way the attackers are demanding bitcoin from their victims.

The ransomware itself, we have seen that before in the wild and it's not that sophisticated.

Ransomware "tends to be a crime that is born on the Internet, born through kits sold on the dark web that already pre-build in anonymity of the perpetrators," said police detective Nick Selby, who specializes in cybercrime.

Those "kits" Selby describes are what experts think they're seeing with WannaCry. Somebody's using software tools created by somebody else.

"The ransomware itself, we have seen that before in the wild and it's not that sophisticated," said Paul Burbage, malware researcher for Flashpoint-Intel.

He says the most obvious tip-off is the fact that the malware contained an easy-to-find "kill switch" — basically, a URL address included in the code, which was used to stop the malware's spread.

"The kill switch allowed people to prevent the infection chain fairly quickly," Burbage explained. "It was kind of a noob mistake, if you ask me."

And WannaCry has other deficiencies. Sophisticated ransomware usually has an automated way to accept payments from victims who want to unlock their computers. But Burbage says WannaCry's system seems to be manual — the scammers have to send each victim a code. Not very practical for an infection involving thousands and thousands of computers.

"It leads me to think they did not think it would spread as far as it is," he said. "You know I really think these guys are running scared and they're probably laying low at this point."

And then there's this: So far, the scammers have collected payments from fewer than 200 victims. We know this, because they're demanding bitcoin — and bitcoin transactions are public. We don't know the scammers' names, but we know the bitcoin addresses they're using to receive payment — just three addresses. Again, more sophisticated ransomware would have the ability to generate a unique bitcoin address for each victim.

It might be that they don't have a good idea yet about how to launder the bitcoin.

So far, the attackers have collected about $60,000 worth of bitcoins which are just sitting there untouched, according to Jonathan Levin, co-founder of Chainalysis, a company that analyzes bitcoin usage to identify money-laundering. He's been watching the bitcoins accumulating at WannaCry's three addresses.

"It might be that they don't have a good idea yet about how to launder the bitcoin," he said. "Perhaps they're not really set up to take advantage of the success of their campaign so far."

Levin says one way to turn dirty bitcoin into real-world money is to do the conversion in a jurisdiction where financial authorities will turn a blind eye. So scammers sometimes have safe-zones — usually their home country — where their malware doesn't do any damage. He gives the example of a very successful ransomware called "locky," which favors Russia.

"So if it detects Russian language on the machine, it actually does not execute and deletes itself," he said.

WannaCry, in contrast, doesn't seem to be playing geographic favorites that way. Two cybersecurity firms now say they've found some technical similarities between the WannaCry ransomware and earlier attacks from hackers in North Korea, though they're not calling the clues proof that North Korea is behind the worldwide attacks. Burbage says his company, Flashpoint-Intel, does not see a link between WannaCry and North Korea at this point.

Levin says if the perpetrators actually live in one of the countries hit hard by this attack — say, Russia — that would be, as he puts it, "an incredibly bad life choice."

Copyright 2021 NPR. To see more, visit

Martin Kaste is a correspondent on NPR's National Desk. He covers law enforcement and privacy. He has been focused on police and use of force since before the 2014 protests in Ferguson, and that coverage led to the creation of NPR's Criminal Justice Collaborative.