By Michael Kan
May 16, 2017
Last Friday's massive WannaCry ransomware attack means victims around the world are facing a tough question: Should they pay the ransom?
Those who do shouldn't expect a quick response -- or any response at all. Even after payment, the ransomware doesn't automatically release your computer and decrypt your files, according to security researchers.
Instead, victims have to wait and hope WannaCry's developers will remotely free the hostage computer over the internet. It's a process that's entirely manual and contains a serious flaw: The hackers have no way to prove who paid off the ransom.
"The odds of getting back their files decrypted is very small," said Vikram Thakur, technical director at security firm Symantec. "It's better for [the victims] to save their money and rebuild the affected computers."
The WannaCry ransomware, also known as WanaDecryptor, broke out last Friday, infecting vulnerable Windows systems like a computer worm. More than 300,000 machines in 150 countries have been hit so far, U.S. homeland security advisor Tom Bossert said in a press briefing on Monday.
The infection strikes by encrypting all the files on the PC and then displaying a ransom note demanding US$300 or $600 in bitcoin. Victims who don't pay will have their files erased after seven days.
Owners of these machines may be tempted to pay the ransom, but don't count on getting your files back, said Matthew Hickey, director of security provider Hacker House.
The culprits can only restore users' systems by manually sending the decryption key to each affected computer, which will amount to a time-consuming process, he said.
"You're really at the mercy of the human operator. Someone at the other end of the connection," Hickey said.
The other problem is that WannaCry has no mechanism to determine who paid what and which computer should be released.
Victims are merely told to send payment to one of three bitcoin wallets and then wait for a decryption key, said Maya Horowitz, threat intelligence group manager at security firm Check Point.
But unlike most ransomware, WannaCry has no process to uniquely identify which ransom payment is tied to which computer, Horowitz said. Instead, users are left with a button on the displayed ransom note that says "check payment."
"It'll pop up an error message that says, 'We didn't get your payment. The best time to try again is Monday to Friday 9 am to 11 am,'" Horowitz said.
Both Hickey and Horowitz said they haven't heard of any cases where victims successfully freed their computers by paying the ransom.
However, Mikko Hypponen, chief research officer at security vendor F-Secure, tweeted on Monday that some victims who paid did get their files back. So far, F-Secure hasn't provided more details.