Learning from the ROI of WannaCry

A look at the numbers and why they need to matter for security

In the same way that the number of infected organizations continued to grow, the total payout on the WannaCry ransomware has increased since the widespread attack was first reported.

Somewhat. By comparison, the earnings seem meager when looking at the scope of impact. Overall, the low return on investment indicates that either the majority of those affected are getting security right, or they realize that they are up a creek without a paddle and a payout won't get them any closer to shore.

According to research from Udi Yavo, an Israel-based cyber researcher and co-founder of enSilo, the ROI is relatively low. As of late evening on May 12 UK time, we had only seen a total of 11 transactions totaling about $3.5K. 

By end of day May 15, those numbers had jumped to approximately $44,316. In only 24 hours, those numbers changed significantly, reaching an approximate total of $74,184 according to the bitcoin wallets being monitored.

  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 - 6.9948511 -> 16.14156882 BTC
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn - 5.17934856 -> 10.83744744 BTC
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw - 9.24698597 -> 14.98062824 BTC

enSilo said there are three confirmed wallets, and one more that they know of which seems to be related but it didn’t change for several days and contains only  3.25249956 BTC.

It's not wholly surprising that the payouts increased, Yavo said. "An uptick--no matter how small--in payouts was inevitable given the large pool of infected machines. Overall, it's a relatively small fraction of overall infected machines."  

Still, there are lots of questions that must be mulled over if security practitioners are to learn from this first globally reaching attack. Surely, there are more to come.

Yavo said, "The potential attack size was quite large and, at the end of the day, $74,184.65 is nothing to complain about, but the bigger question is this: How will the next strains of ransomware try to learn from this episode and adjust their tactics to try and scare up more money?"

Finding an answer to that bigger question will hopefully inform security programs to be better prepared so that enterprises aren't scared into paying the ransom.

If the number of payouts is so low, why does this attack matter so much? Yavo said, “I do not think the ransomware authors expected to create so much uncontrolled damage. If they did, then I assume that sabotage was the real target, versus payment."

Another possibility is that the global attention worked against the authors as many experts immediately recommended that victims not pay. Yavo said, "While ransomware attacks use strong psychological plays around fear and extortion, no one wants their business or organization to just cave-in.”

There are thousands of businesses that, in fact, did not cave in. Given that there are an estimated 200,000+ organizations infected, this payout seems low. I am no math expert, but my calculations show that approximately 250 companies paid. That's a little more than 1 percent.

To me, those numbers suggest that a lot of companies are doing security right. Yavo said the reason for the mismatch of the malware's virulence and the ROI is simple.

"Many security technologies out there are not effective against attacks able to exploit gaps like the Microsoft SMB vulnerability," Yavo said. Unpatched systems remain a massive problem.

"Even organizations that patch more frequently still need to make sure they not only have strong data back-ups but also practice full restoration for affected systems as well. No user can rely on attack ‘prevention’ technologies, alone,” Yavo said.

There are a couple reasons why the ransom payouts appear. First, said Yavo, with so much visibility, no one wants to bend to the attackers’ demands. Secondly, it is being reported that even users who do pay are not able to recover their files.”

The takeaway for those who chose to pay, said Yavo, is to be certain that they have more advanced security solutions for ransomware prevention. "It is always best to have robust backups, period. Backups are useful well beyond facing ransomware attacks,” Yavo said.

Backups, though, are not the panacea. They can reduce damage by allowing for a quicker return to production time with lesser losses, but they don't make a company impervious to future attacks. 

New! Download the State of Cybercrime 2017 report