A security expert believes the authors of WannaCry ransomware were primarily interested in Bitcoin insider trading. If this is true, then this type of misuse of encryption would prove to be much more egregious than simply stealing money or information. It could be used to achieve much larger gains by manipulating the value of cryptocurrency. And that’s only a hop, a skip and a jump from more serious market manipulations.
On 12 May, an updated version of WannaCry ransomware hit the National Health Service (NHS) of England, the telecommunications provider Telefonica, and numerous other companies. It didn't target these entities specifically but spread via a Windows vulnerability using attack code developed by the NSA and leaked by the Shadow Brokers hacker group. Within days, it had spread to over 150 countries and affected more than 200,000 organizations.
The week following the ransomware's global outbreak, reports emerged of bugs in WannaCry's decryption method. These flaws prevented victims from recovering their files even if they paid the attackers. Some feel the issues were inadvertent and resulted from the attackers' desire to leverage the NSA's exploit before anyone else could. Others suspect the actual decryption of victims' files, and therefore a sustainable ransomware business model, had nothing to do with it.
Joseph Carson, a digital security expert at password management software provider Thycotic, told Security Week that the attackers developed WannaCry not to collect ransom payments but to manipulate the value of Bitcoin. He believes the actors sought to increase the cryptocurrency's worth with a proportional growth in the number of Bitcoin owners. By demanding Bitcoin-based ransom payments from so many victim companies, Carson reasons, the attackers thought they could generate more transactions and thereby elevate the cryptocurrency's worth.
The notion that more users could increase the value of something like Bitcoin isn't new. Back in 1980, an electrical engineer named Robert Metcalfe formulated the basis of what came to be known as Metcalfe's Law. The theory asserts that the monetary value of a telecommunications network is proportional to the square of the number of users of that network.
Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, shared on Reddit how Bitcoin's value agrees with principles like Metcalfe's Law:
"The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price. All these things are not understood by too many people, unfortunately. Also the price doesn't grow linearly with the number of users but instead with the power of 1.45 of the number of users. That is nice because for the price to increase 1000 times you need only 140 times the number of users of today."
If WannaCry's authors indeed sought to manipulate Bitcoin's value, their efforts proved successful. The cryptocurrency's value increased by 5.82 percent on 17 May. It then rose every day thereafter, peaking at $2,720, until 26 May when it fell by 5.33 percent due to what CryptoCompare called, "profit taking following several days of rally."
The developers of WannaCry are unlikely to reveal whether they used their ransomware purely for insider trading. But the thought that attackers would misuse malware with encryption capabilities to manipulate financial markets is no laughing matter. Neither is the idea that bad actors could abuse organizations' expired keys and certificates to deploy threats like WannaCry in the first place.
To counter the expanding flood of malware, organizations should take responsibility for their keys and certificates. This process ought to begin with an investment into a solution that allows them to monitor their keys and certificates for anomalous behavior.