[Despite a week of widespread disruption, the total ransom paid so far looks relatively modest. An online tracking system showed that the amount sent in the electronic currency Bitcoin to accounts listed by the attackers had begun to plateau on Wednesday, and had reached about $90,000 on Friday afternoon in Europe. Early estimates of what the virus could ultimately earn had ranged into the tens of millions or even hundreds of millions of dollars. Victims have seven days to pay from when their computers were originally infected, so the deadline will vary from case to case.]
By Paul Mozur and Mark Scott
 |
|
Monitoring the spread of
ransomware cyberattacks at the Korea Internet and Security
Agency in Seoul, South
Korea, on Monday. Many of those affected by the virus
said they would not or
could not pay the ransom. Credit Yonhap, via
Agence France-Presse — Getty Images
|
With the clock ticking on whether a global
hacking attack would wipe out his data, Bolton Jiang had no intention of paying
a 21st-century ransom.
Since a week ago, when the malware first
struck, Mr. Jiang has been busily fixing and replacing computers at the
electronics company where he works in Shanghai. Paying is a bother, he said,
and there was no guarantee he would get his data back.
“Even if you do pay, you won’t necessarily be
able to open the files that are hit,” he said. “There is no solution to it.”
Tens of thousands of computer users around
the world faced the same dilemma on Friday, their last chance to pay the
anonymous hackers behind the ransomware attack known as WannaCry. The malicious
software exposed the widespread vulnerability of computers and offered a peek
at how a new type of crime could be committed on a global scale.
As part of the hacking, attackers demanded
that individuals pay a fee to regain control of their machines, or face losing
their data.
The latest strain of ransomware was
particularly virulent, experts warned, because it had been based on software
stolen from the National Security Agency. Law enforcement agencies in the
United States and elsewhere have been hunting for the culprits, with attention
focused on hackers linked to North Korea.
Despite a week of widespread disruption, the
total ransom paid so far looks relatively modest. An online tracking system
showed that the amount sent in the electronic currency Bitcoin to accounts
listed by the attackers had begun to plateau on Wednesday, and had reached
about $90,000 on Friday afternoon in Europe. Early estimates of what the virus
could ultimately earn had ranged into the tens of millions or even hundreds of
millions of dollars. Victims have seven days to pay from when their computers
were originally infected, so the deadline will vary from case to case.
A number of people and companies have struck
a defiant tone. The Japanese conglomerate Hitachi, which had been identified in
the news media as a victim, declined to confirm those reports on Friday but
said that it had no intention of paying a ransom and that it aimed to be fully
secure against future attacks by Monday.
Nissan Motor, another Japanese industrial
giant, also said it would not pay a ransom. Its factory in Sunderland, England,
was affected, but the company said it had not lost data.
Owners of the more than 200,000 computers
across the globe that have been hit by the malware face similar decisions.
Those affected, including hospitals, government offices and universities, have
lost access to business information, term papers and even medical records that
could involve matters of life or death.
In Britain, whose National Health Service was
one of the largest organizations affected by the ransomware, some medical
institutions were still struggling to get back on their feet.
Barts Health, one of the country’s largest
hospital groups, said that it had been forced to cancel 20 percent of
outpatient appointments, as well as to cut back on nonemergency surgeries.
Yet cybersecurity experts have generally
advised those affected not to pay.
“It costs the perpetrators peanuts to carry
out an attack like this,” said Rafael Sanchez, an international breach response
manager at Beazley, an insurer in London that has handled thousands of
ransomware attacks for corporate clients. “And any ransom will only likely lead
to more attacks,” he added.
While some who had paid regained access to
their files, according to the Finnish cybersecurity firm F-Secure, security
analysts cautioned that there was no guarantee all WannaCry victims would.
Because the attackers listed only three addresses as payment destinations, it
would be difficult for them to determine which victims had paid, and therefore
whose files to decrypt.
“It looks like the attackers had no intent in
decrypting anything,” said Tom Robinson, co-founder of Elliptic, a company in
London that tracks online financial transactions involving virtual currencies
that helps organizations respond to digital attacks.
As victims faced an agonizing choice on
Friday over whether to pay or risk losing their data, cybersecurity experts
said that they had developed a potential way to decrypt individual machines
without having to hand over the ransom. The technique, however, depended on how
long infected computers had been hijacked by the online attackers, and required
a high level of technical expertise.
According to law enforcement agencies, paying
could leave victims vulnerable to being targeted again, and it also presents a
challenge for people affected who have never used Bitcoin before.
Many are not familiar with the electronic
currency, which does not answer to any of the world’s central banks. National
governments and institutions also have rules about not paying ransoms.
In Berhampur, a city of about 380,000 on
India’s eastern coast, two computers at the Berhampur City Hospital were hit by
the WannaCry malware. Dr. Saroj Mishra, assistant health officer for the
surrounding district of Ganjam, said that most of the data had been recovered —
and that health officials had no intention of paying the hackers.
“We don’t have the permission to pay the
hackers,” Dr. Mishra said. He added, “there is no question of compromising. It
is a matter of investigation.”
In other cases, those affected simply cannot
afford to pay.
In China, where pirated software is believed
to have contributed to the ransomware spreading, about 4,000 of the 40,000
institutions affected are educational establishments. On Chinese social media,
many students reported being locked out of final term papers.
“The hacker asked for $300 to $600,” said Zhu
Huanjie, a college student in Hangzhou. “Average students can’t afford that.”
Mikko Hypponen, chief risk officer at
F-Secure, said the overall amount of ransom that had been paid remained
relatively low because large organizations — often with detailed data retrieval
plans — had been the main victims of the attack.
Such preparations, he added, meant that while
the daily activities of big organizations had been severely hamstrung in recent
days, most had already replaced the affected data.
“When you’re a company with thousands of
machines, you’ll already have backup policies in place,” Mr. Hypponen said.
Some attacks could also come from so-called
copycats, muddying attempts to catch those behind the initial cyberattack.
Xu Hengyu, the information technology manager
of Renxing Pictures, a Shanghai entertainment company, said the firm had
intended to send more than $720 to hackers threatening to delete two months’
worth of data. But when Mr. Xu tried to negotiate the price down, he said the
hackers responded in Chinese and told him he could wire the money to a Chinese
bank account in local currency rather than in Bitcoin. Mr. Xu said he was
unsure whether the hackers were the same as those behind the WannaCry attack.
“We thought about reporting to the police,
but we haven’t so far,” he said. “We thought if this problem could be solved by
the direct payment, we’d rather stay that way and not go to the police, as the
police must already have many cases.”
He added, “We still prioritize data recovery
over everything else.”
Follow Paul Mozur @paulmozur and Mark Scott
@markscott82 on Twitter.
Paul Mozur reported from Hong Kong, and Mark
Scott from Rome. Nida Najar contributed reporting from New Delhi, and Jonathan
Soble from Tokyo. Carolyn Zhang contributed research from Shanghai, and Cao Li
from Beijing.