No one knows who wrote the WannaCry ransomware. What we do know is it was weaponized using a leaked exploit from the National Security Agency (NSA). An exploit is a piece of software that can be used by an attacker to take advantage of a flaw or vulnerability to gain access to computer systems. Attacks such as these cost billions of dollars a year, not just in loss of business due to down time and the cost of fixing the vulnerabilities, but also in ransoms to attackers.
A group called the Shadow Brokers leaked the exploit that was weaponized in order to spread the WannaCry malware and claim to have a suite of hacked NSA exploits and hacking tools. They are attempting to cash in on them with what they are calling the “TheShadowBrokers Monthly Dump Service”, a monthly subscription whereby they will release exploits to whoever pays 100 ZCASH coins, a cryptocurrency that offers privacy and selective transparency of transactions. This translates roughly to $23,000, however could change due to fluctuations in the price of ZCASH.
It’s a new tactic by the group but not their first. They have tried to sell the exploits before; an auction announced in August 2016 was met with some scepticism, a second attempt was made using crowd funding which was also unsuccessful. Next they tried direct sales and finally in April 2017 they released several exploits free to the public
What is not clear is if they’ve tried to sell on the black market. A single weaponized exploit can be sold on the black market for as much a $90,000 according to recent reports. You can sell to more than one individual or organisation (though this can be risky), so the $23,000 price tag seems pretty low given the Shadow Brokers claim to have a suite - even if it’s paid monthly. Additionally the wider audience will ultimately dilute the value of the exploits
Why is this? Well, any exploit is only of value when it is released as vendors will patch the vulnerability once they know it exists. This means that where a network was vulnerable to infiltration or infection, this opening is now shut. If the exploits are open to whoever will pay for them, ethical and non-ethical hackers alike, then the defence to the exploit can be worked on at the same time as the weaponization. This would mean that there could be a patch before anyone has time to release malware or target an organisation. It’s worth noting that this was the case with WannaCry, but not everyone had implemented the patch.
Are the Shadow Brokers therefore looking to profit in a more ethical way than if they just sold to the highest bidder? @hackerfantastic (Twitter handle for Matthew Hickey) Co-Founder & Director My Hacker House said in response to this question “by their own accounts the Shadow Brokers just want to hang out on a beach with John McAfee” therefore suggesting that they aren’t as unethical as some cyber-criminals.
I’m not sure that puts them in the guise of your friendly neighbourhood hacker though…
In an interesting development, @hackerfantastic and @x0rz (a Security Researcher who seems to want to remain anonymous) set up a crowd funding page yesterday to raise the funds with the intention that by “paying the Shadow Brokers the cash they asked for we hope to pool resources and avert any future WannaCry type incidents”.
On their crowd funding page @hackerfantastic and @x0rz state “as a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities. We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days”. An 0day exploit is an undisclosed software vulnerability that hackers can use to adversely affect computer programs, data, additional computers or a network.
Within 24 hours of the crowd funding page going live it was pulled.
In a statement on Twitter @hackerfantastic says “ it transpires that should funds change hands from ours to the Shadow Brokers we would be certainly risking some form of legal complications. It was just too risky and the advice was under no circumstances to proceed further with this.
“We were told by others that the Shadow Brokers are linked to the FSB and we would be falling afoul of the US justice system. We greatly respect their opinions and thank them of contacting us.”
This raises yet more questions around ethics. Should we be effectively paying a ransom to criminals to protect ourselves against vulnerabilities that may never be weaponized Who are the Shadow Brokers and what will they be using the money for. Could anyone who contributes to this potentially be funding wide scale organised crime, terrorist groups or corrupt governments. At this point, can the Shadow Brokers be trusted to release their exploits to ethical hackers even if they do receive payment.
It is true that the almost comically broken English used in communications by the Shadow Brokers suggested Russian links, but it is worth noting that links to the FSB (formerly the KGB) remain unsubstantiated at this point.
Despite the ethical dilemma surrounding this, we considered donating to the crowd fund in the hope of contributing to the research that could prevent another WannaCry style attack. In our opinion, when malware has the ability to affect an organisation such as the NHS, we are all at risk.
Our justification for this is that even though the Shadow Brokers group operate outside of what is legal and ethical, we ethical hackers have an obligation to help protect systems at any cost. If we can access this data and stop the next WannaCry attack, we should, even at the cost of funding this group. The black market cost of these exploits are far above what the Shadow Brokers are asking for and groups do trade exploits and tools on the black market. In fact, by getting these exploits in the hands of ethical hackers, the black market value of these tools will be lowered.
Ideally, we would like to see those hoarding 0day exploits, such as the NSA, reporting them to vendors so they can be fixed for the public and if they wont, the only option left to help work towards fixing these flaws before they are attacked is to gain access to the archives ourselves.
If the best defence against unethical hacking is to allow ethical hackers, the very same people who protect the digital infrastructure of everything from big banks to government systems, to view and research exploits and vulnerabilities before they fall in to the hands of cyber-criminals, then the onus is back on the NSA to release the hacked data to the security community to be able to do this.
Lets see if they step up.