Bitcoin’s murkier rivals line up to displace it as cybercriminals’ favourite

FILE PHOTO: A Bitcoin (virtual currency) paper wallet with QR codes and a coin are seen in an illustration picture taken in Paris, France May 27, 2015. REUTERS/Benoit Tessier/File Photo

By Jemima Kelly

LONDON (Reuters) – Bitcoin is well-entrenched as the preferred payment for cybercriminals like the WannaCry hackers who have hit more than 300,000 computers over the past week, but cryptocurrencies offering more anonymity are threatening to displace it.

A key reason for bitcoin’s dominance in the nefarious online underworld, say technologists and cybercrime experts, is its size – the total value of all bitcoins in circulation is more than twice that of the nearest of hundreds of rivals.

That makes it easy for victims to access enough to pay the ransoms demanded, and for hackers to cash out of it via online exchanges to spend money in the real world.

Bitcoin was set up in 2008 by someone – or some group – calling themselves Satoshi Nakamoto, and was the first digital currency to successfully use cryptography to keep transactions secure and hidden, making traditional financial regulation difficult if not impossible.

Money is sent from one anonymous online “wallet” to another with no need for a third party to validate or clear the transactions.

In the WannaCry attack, the addresses of three anonymous bitcoin wallets were given to victims, with a demand for ransom payments from $300 worth of bitcoin, with a promise the affected machines would be decrypted in return, a promise that no evidence has shown will be kept.

But since the way that Bitcoin functions is via the blockchain – a giant, virtually tamper-proof, shared ledger of all bitcoin transactions ever made – payments can be traced, if users do not have the sophistication to take further steps to cloak themselves using digital anonymity tools.

“In the initial days of bitcoin, people…didn’t realise they were recording for posterity on the blockchain every financial transaction that ever took place,” said Emin Gun Sirer, a computer science professor at Cornell University.

Bitcoin addresses are anonymous, but users can be traced through IP addresses or by analysing money flows.

If criminals using bitcoin want to stay truly anonymous, Gun Sirer said, they have to go through a number of additional, complex steps to make sure they do not get caught.

It is not yet clear what level of sophistication the WannaCry hackers have when it comes to laundering their cryptocurrency, as none of the money has yet been moved out of the three bitcoin wallets linked to the ransomware, which have had over $80,000 worth of bitcoin paid into them so far. [http://tmsnrt.rs/2rqaLyz]

But some have suggested that the fact that the WannaCry hackers demanded bitcoin shows how amateur they are.

“If it was me, I would want people to use bitcoin all day, because you can trace it,” said Luke Wilson, vice president for law enforcement at Elliptic, a London-based security firm that tracks illicit bitcoin transactions and that counts the U.S. Federal Bureau for Investigations (FBI) among its clients.

Wilson, who used to work at the FBI, where he set up a taskforce to investigate the use of virtual currencies, did not disclose all the ways that Elliptic and law enforcement agencies find criminals using bitcoin. But sometimes, he said, the offenders make as obvious a mistake as withdrawing money from a bitcoin wallet directly into their bank accounts.

CAT-AND-MOUSE GAME

More sophisticated criminals use obfuscation methods that make it very hard to be tracked down. One of the most basic ones is a technique known as “chain-hopping”, whereby money is moved from one cryptocurrency into another, across digital currency exchanges – the less-regulated the better – to create a money trail that is almost impossible to track.

Newer and more complex money-laundering methods have also emerged in recent years, which make it very difficult for law enforcement and bitcoin security firms such as Elliptic or New-York-based Chainalysis to track down cybercriminals.

“It’s a cat-and-mouse game – as police and companies like Elliptic catch up to criminals’ techniques, they invent new techniques,” said Jerry Brito, executive director of the Washington, D.C.-based Coin Center, a not-for-profit advocacy group focusing on public policy issues around cryptocurrency.

These techniques are not foolproof, however – chain-hopping, for example, relies on unregulated exchanges that do not carry out know-your-customer (KYC) checks, and security firms say they will develop ways to trace such methods.

MONERO HACK

Easier, perhaps, would be for cybercriminals to use next-generation cryptocurrencies that have built-in anonymity from the start, such as Monero, Dash and Z-Cash.

And indeed, experts said late on Tuesday that a computer virus that exploits the same vulnerability as the WannaCry attack had latched on to more than 200,000 computers and begun using them to manufacture – or “mine” – Monero currency.

But with a total value of around $425 million – a little over 1 percent of that of bitcoin – converting that currency into spendable cash might not be so easy, and it is also much harder for victims to access, alternative payments experts said.

That is why the Monero attack did not demand a ransom, but rather used the infected computers’ computing power to create new currency.

“This used to happen in bitcoin before it became big – there were loads of botnets that went into computers that used to mine bitcoin, but you now can’t basically mine bitcoin on normal computers because you need specialist hardware,” said Chainalysis CEO Jonathan Levin.

Levin said such bitcoin-based attacks were carried out several years ago, when mining it was still largely a hobby for tech geeks using their home computers.

As the bitcoin price has risen and as transaction numbers have grown, the computers have become so specialized that only they can only perform the function of bitcoin mining.

“If Monero does become adopted and is as big and liquid (as bitcoin), that means the crime (will) move from using computers to mine to getting to extortion,” Levin said.

Hackers mint crypto-currency with technique in global ‘ransomware’ attack

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) – A computer virus that exploits the same vulnerability as the global “ransomware” attack has latched on to more than 200,000 computers and begun manufacturing digital currency, experts said Tuesday.

The development adds to the dangers exposed by the WannaCry ransomware and provides another piece of evidence that a North Korea-linked hacking group may be behind the attacks.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the U.S. National Security Agency, has infected more than 300,000 computers since Friday, locking up their data and demanding a ransom payment to release it.

Researchers at security firm Proofpoint said the related attack, which installs a currency “miner” that generates digital cash, began infecting machines in late April or early May but had not been previously discovered because it allows computers to operate while creating the digital cash in the background.

Proofpoint executive Ryan Kalember said the authors may have earned more than $1 million, far more than has been generated by the WannaCry attack.

Like WannaCry, the program attacks via a flaw in Microsoft Corp’s <MSFT.O> Windows software. That hole has been patched in newer versions of Windows, though not all companies and individuals have installed the patches.

Digital currencies based on a technology known as blockchain operate by enabling the creation of new currency in exchange for solving complex math problems. Digital “miners” run specially configured computers to solve the problems and generate currency, whose value ultimate fluctuates according to market demand.

Bitcoin is by far the largest such currency, but the new mining program is not aimed at Bitcoin. Rather it targeted a newer digital currency, called Monero, that experts say has been pursued recently by North Korean-linked hackers.

North Korea has attracted attention in the WannaCry case for a number of reasons, including the fact that early versions of the WannaCry code used some programming lines that had previously been spotted in attacks by Lazarus Group, a hacking group associated with North Korea.

Security researchers and U.S. intelligence officials have cautioned that such evidence is not conclusive, and the investigation is in its early stages.

In early April, security firm Kaspersky Lab said that a wing of Lazarus devoted to financial gain had installed software to mine Monero on a server in Europe.

A new campaign to mine the same currency, using the same Windows weakness as WannaCry, could be coincidence, or it could suggest that North Korea was responsible for both the ransomware and the currency mining.

Kalember said he believes the similarities in the European case, WannaCry and the miner were “more than coincidence.”

“It’s a really strong overlap,” he said. “It’s not like you see Monero miners all over the world.”

The North Korean mission to the United Nations could not be reached for comment, while the FBI declined to comment.

(Fixes spelling of digital currency in paragraphs 11 and 14 to Monero not Moreno.)

(Reporting by Joseph Menn; Editing by Jonathan Weber and Cynthia Osterman)

Cyber attack eases, hacking group threatens to sell code

Hardwares used for Cybersecurity are displayed at the desk of Security Platform during the TechCrunch Disrupt event in Manhattan, in New York City, NY, U.S. May 15, 2017. REUTERS/Eduardo Munoz

By Dustin Volz

WASHINGTON (Reuters) – Governments turned their attention to a possible new wave of cyber threats on Tuesday after the group that leaked U.S. hacking tools used to launch the global WannaCry “ransomware” attack warned it would release more malicious code.

The fast-spreading cyber extortion campaign, which has infected more than 300,000 computers worldwide since Friday, eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

The attack includes elements that belong to the U.S. National Security Agency and were leaked online last month.

Shadow Brokers, the group that has taken credit for that leak, threatened on Tuesday to release more recent code to enable hackers to break into the world’s most widely used computers, software and phones.

A blog post written by the group promised from June to release tools every month to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs. “More details in June,” it promised.

The spread of the WannaCry attack – which encrypts a user’s data and demands a “ransom” be paid electronically to free it up again – slowed to a trickle on Tuesday, with few, isolated examples being reported.

In Canada, the Universite de Montreal was hit, with 120 of the French-language university’s 8,300 computers affected, according to a university spokeswoman.

There were no new, major incidents in the United States. Fewer than 10 U.S. organizations have reported attacks to the Department of Homeland Security since Friday, a U.S. official told reporters on Tuesday.

The attack has caused most damage in Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The United States likely avoided greater harm as the attack targeted older versions of Microsoft Corp’s <MSFT.O> Windows operating system, and more U.S. users have licensed, up-to-date, patched versions of the software, compared to other regions of the world.

The Department of Homeland Security began an “aggressive awareness campaign” to alert the tech industry to the importance of installing the patch that Microsoft issued in March that protected users from the vulnerability exploited by the attack, a U.S. official working on the attack told Reuters.

Microsoft said on Tuesday it was aware of Shadow Brokers’ most recent claim and that its security teams monitor potential threats in order to “help us prioritize and take appropriate action.”

Microsoft President and Chief Legal Officer Brad Smith said earlier this week the WannaCry attack used elements stolen from the NSA. The U.S. government has not commented directly on the matter.

NORTH KOREA LINK PROBED

Cyber security researchers around the world have said they have found evidence that could link North Korea with the WannaCry cyber attack.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

NO INFORMATION TO SHARE

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cyber security firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected, but one of the country’s leading anti virus companies, Bkav, later put the figure at 1,900.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

(Additional reporting by Eric Auchard in Frankfurt, Julia Edwards Ainsley in Washington, Jim Finkle in Toronto, Allison Lampert in Montreal, Jess Macy Yu in Taipei, My Pham and Mai Nguyen in Hanoi, Ju-min Park in Seoul, Michael Martina in Beijing and Liz Lee in Kuala Lumpur,; Writing by Jeremy Wagstaff in Singapore and Bill Rigby in New York; Editing by Sam Holmes)

Chinese state media says U.S. should take some blame for cyber attack

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

BEIJING (Reuters) – Chinese state media on Wednesday criticized the United States for hindering efforts to stop global cyber threats in the wake of the WannaCry “ransomware” attack that has infected more than 300,000 computers worldwide in recent days.

The U.S. National Security Agency (NSA) should shoulder some blame for the attack, which targets vulnerabilities in Microsoft Corp <MSFT.O> systems and has infected some 30,000 Chinese organizations as of Saturday, the China Daily said.

“Concerted efforts to tackle cyber crimes have been hindered by the actions of the United States,” it said, adding that Washington had “no credible evidence” to support bans on Chinese tech firms in the United States following the attack.

The malware attack, which began on Friday and has been linked by some researchers to previous hits by a North Korean-run hacking operation, leveraged a tool built by the NSA that leaked online in April, Microsoft says.

It comes as China prepares to enforce a wide-reaching cyber security law that U.S. business groups say will threaten the operations of foreign firms in China with strict local data storage laws and stringent surveillance requirements.

China’s cyber authorities have repeatedly pushed for what they call a more “equitable” balance in global cyber governance, criticizing U.S. dominance.

The China Daily pointed to the U.S. ban on Chinese telecommunication provider Huawei Technologies Co Ltd [HWT.UL], saying the curbs were hypocritical given the NSA leak.

Beijing has previously said the proliferation of fake news on U.S. social media sites, which are largely banned in China, is a reason to tighten global cyber governance.

The newspaper said that the role of the U.S. security apparatus in the attack should “instill greater urgency” in China’s mission to replace foreign technology with its own.

The state-run People’s Daily compared the cyber attack to the terrorist hacking depicted in the U.S. film “Die Hard 4”, warning that China’s role in global trade and internet connectivity opened it to increased risks from overseas.

The fast-spreading cyber extortion campaign eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

(Reporting by Cate Cadell; Editing by Nick Macfie)

Jim Bakker: The Lord Told Me President Trump’s Life Is in Danger – Charisma

During the same podcast interview with Charisma Media founder Steve Strang in which he discussed the WannaCry ransomware attack is an end-times event, Jim Bakker shared that he sometimes feels alone in his calls to pray for President Donald Trump.

But another word he received from the Lord has added to his urgency.

“There is going to be an attempt on our president’s life very soon,” he said. “We need to pray for the protection of our president.”

Bakker said the president’s election last November was a miracle, and “the adversary is so angry because they expected to win.” They’re not going to give up until they destroy him, he added.

Read more: Jim Bakker: The Lord Told Me President Trump’s Life Is in Danger – Charisma

Banks reinforce cyber defenses after global attack

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. REUTERS/Dylan Martinez

By John O’Donnell and Alexander Winning

FRANKFURT/MOSCOW (Reuters) – Banks have tightened their security systems and increased their surveillance after the global cyber assault on individuals and organizations worldwide.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the “ransomware” attack launched on Friday has infected tens of thousands of computers in 104 countries, putting the financial industry on high alert.

It halted the production lines of a European carmaker and delayed surgical operations in Britain’s National Health Service.

Many suspected infections were of Russian computers. Russia’s central bank said it had recorded harmful software being sent en masse to Russian banks but that the attacks had been unsuccessful.

Sberbank, the country’s biggest lender, said viruses had not got into its systems. The bank said it was nonetheless “on high alert”.

Russia is more vulnerable to attack because organizations there often use outdated technology as an economic slowdown squeezes spending.

Many banks in Europe said they had stepped up efforts to prevent attackers getting through.

One person helping coordinate banks’ response said they were setting up back-up systems for data and introducing security upgrades.

“The banks’ greatest fear is copycat attacks,” said Keith Gross, who chairs the European Banking Federation’s cybersecurity working group. “So they are updating like a wild thing.”

ON GUARD

Germany’s savings banks, the largest and most powerful financial group in the country, received reminders from the group’s information technology company to install updates.

One large British bank said they had drafted people in to work over the weekend, having been subject to a similar attack earlier this year.

A European investment bank said it was accelerating the process of “patching” software following the incident.

Spanish banks La Caixa, Bankinter and Sabadell said they had all taken measures.

“We weren’t attacked but we took preventative measures about the cyber-attack over the whole weekend. There is an emergency committee that is reporting constantly and we have conference calls every eight hours. We can’t drop our guard”, said a Sabadell spokesman.

Banks generally have more robust cyber defenses than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements.

But aging technology and banks’ attractiveness to hackers means they are often targets.

Last year 2.5 million pounds ($3.23 million) was taken from small British lender Tesco Bank. The identity of the culprits remains unknown.

Other UK banks including HSBC and Royal Bank of Scotland have suffered cyber attacks in the past two years that have brought their online services down.

A survey of cyber security and risk experts released last Friday by insurer AIG found the financial services industry had been identified as the most likely to experience a systemic attack.

In the United Kingdom on Monday, the government’s National Cyber Security Centre said it was distributing advice to raise awareness of the threat, including to the financial industry.

Across the globe, regulators took similar steps.

The Hong Kong Securities and Futures Commission issued a circular warning groups to be on alert and take action such as security updates and offline backups.

It instructed firms to “take immediate actions to critically review and assess the effectiveness of their cybersecurity controls”.

India’s IndusInd Bank said on Monday the attack had affected a few systems, but those had been quarantined over the weekend and it had moved quickly to patch its systems.

For the most part, however, banks remained insulated from the cyber attack.

“In the NHS, the technology they are using it out of date,” said Paul Edon of cyber security group Tripwire. “Banks have six to eight levels of defense.”

(Additional reporting by Andres Gonzales, Euan Rocha in Mumbai and Michelle Price in Hong Kong; Writing by John O’Donnell; Editing by Andrew Roche)

Researchers say global cyber attack similar to North Korean hacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Ju-min Park and Dustin Volz

SEOUL/WASHINGTON (Reuters) – Cybersecurity researchers have found evidence they say could link North Korea with the WannaCry cyber attack that has infected more than 300,000 computers worldwide, as global authorities scrambled to prevent hackers from spreading new versions of the virus.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cybersecurity firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

EXPERTS URGE CAUTION

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

An official at South Korea’s Korea Internet & Security Agency said on Tuesday the agency was sharing information with intelligence officials on recent cases reported for damages but was not in position to investigate the source of the attack.

The official declined to comment on intelligence-related matters.

A South Korean police official that handles investigations into hacking and cyber breaches said he was aware of reports on the North Korean link, but said police were not investigating yet.

Victims haven’t requested investigations but they want their systems to be restored, the official said.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August.

In one case, alleged hackers from North Korea demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall, Choi added.

The North Korean mission to the United Nations was not immediately available for comment on Monday.

While the attacks have raised concerns for cyber authorities and end-users worldwide, they have helped cybersecurity stocks as investors bet governments and corporations will spend more to upgrade their defenses.

Cisco Systems <CSCO.O> closed up 2.3 percent on Monday and was the second-biggest gainer in the Dow Jones Industrial Average.

(Additional reporting by Jess Macy Yu in Taipei, My Pham in Hanoi, Michael Martina in Beijing and Liz Lee in Kuala Lumpur; Writing by Jeremy Wagstaff in Singapore; Editing by Sam Holmes, Michael Perry and Mike Collett-White)

Oddities in WannaCry ransomware puzzle cybersecurity researchers

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. REUTERS/Dylan Martinez

By Jeremy Wagstaff

SINGAPORE (Reuters) – The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it.

Some researchers have found evidence they say could link North Korea with the attack, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.

For one thing, said IBM Security’s Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware.

That’s how most ransomware finds its way onto victims’ computers.

The problem in the WannaCry case is that despite digging through the company’s database of more than 1 billion e-mails dating back to March 1, Barlow’s team could find none linked to the attack.

“Once one victim inside a network is infected it propagates,” Boston-based Barlow said in a phone interview, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another.

The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online.

But the puzzle is how the first person in each network was infected with the worm. “It’s statistically very unusual that we’d scan and find no indicators,” Barlow said.

Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin of RSA Security, a part of Dell.

Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. “How the hell did this get on there, and could this be repeatedly used again?” said Barlow.

PALTRY RANSOM

Some cybersecurity companies, however, say they’ve found a few samples of the phishing e-mails. FireEye said it was aware customers had used its reports to successfully identify some associated with the attack.

But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.

There are other surprises, that suggest this is not an ordinary ransomware attack.

Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency.

There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim.

Jonathan Levin of Chainalysis, which monitors bitcoin payments, said there were other differences compared to most ransomware campaigns: for instance the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages.

And so far, Levin said, the bitcoin that had been paid into the attackers’ wallets remained there – compared to another campaign, known as Locky, which made $15 million while regularly emptying the bitcoin wallets.

“They really aren’t set up well to handle their bitcoin payments,” Levin said.

The lack of sophistication may bolster those cybersecurity researchers who say they have found evidence that could link North Korea to the attack.

A senior researcher from South Korea’s Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.

Choi, who has done extensive research into North Korea’s hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

Whoever is found to be behind the attack, said Marin Ivezic, a cybersecurity partner at PwC in Hong Kong, the way the hackers used freely available tools so effectively may be what makes this campaign more worrying.

By bundling a tool farmed from the leaked NSA files with their own ransomware, “they achieved better distribution than anything they could have achieved in a traditional way” he said.

“EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals,” Ivezic said.

(Additional reporting Ju-Min Park in Seoul, Editing by Raju Gopalakrishnan)