4
Reports indicate that there are three default addresses to which victims of Wanna Cry are asked to send funds.
Assuming that Wanna Cry actually does decrypt once payment is verified, how can the software know that the specific computer is the one that should be decrypted in association with the victim's payment?
2
IIRC WannaCry requires you to contact the malware authors (via their built in chat system thing) and then tell them the address that you used to send the payment. Then they will manually decrypt your files for you. Otherwise there is no way for them to track who sent what payment. This of course is fraught with issues and is very unreliable. I have heard some people say that their files were decrypted even without paying, and others say that they have paid but their files were not decrypted.
Aha. This was in news reports? – Leif Segen – 2017-06-13T16:39:35.713
I believe so. At the very least, people have mentioned this on Reddit. I'll try to find a link. – Andrew Chow – 2017-06-13T16:45:32.130
Here's a link to a tweet by a malware researcher about the manual decryption thing: https://twitter.com/hackerfantastic/status/863833239475171329. Here's an (overly dramatized) story about someone who didn't pay but got their files decrypted: https://qz.com/985093/inside-the-digital-heist-that-terrorized-the-world-and-made-less-than-100k/
0
There are two ways that I can think of:
Ask for a signed message from the address of the sender of the Bitcoin.
After the payment is sent, ask them to sign a message with a unique ID to establish a connection between the payment and the computer.
Have everyone pay slightly different amounts of Bitcoin.
Aha. Second one seems more plausible as it's easier to expect a non Bitcoin user to get an amount right than to figure out signing. – Leif Segen – 2017-05-18T02:28:46.913
I'm more familiar with vanilla Stack Overflow - where it's more clear whether an answer solves a problem. If I'm not the expert, how do I judge marking something as correct? – Leif Segen – 2017-05-18T02:33:01.307
@LeifSegen My rule of thumb is that I mark as accepted if I know the answer is correct, or if it helps me. The above is just an informed guess. – Nick ODell – 2017-05-18T02:36:12.897
0
Here are the three addresses which the payments were sent to for Wanacry: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Judging by the differing amounts for nearly all of the payments, I thought it would be the amount which differentiates them, although there does seem to be some duplicate amounts, so I'm not entirely sure this is the case.
Just an opinion, but I don't think it really can. In order to do so a single payment address should be assigned to every victim, or a digital signature over a message using the private key that belongs to the same key pair as the public key used to derive the Bitcoin address from where the payment has been performed should be requested by the attacker. Long story short, it seems that the WannaCry was not that well developed, and no victim-payment match can be performed. – sr-gi – 2017-05-17T20:21:06.223