Global manhunt underway to find the hackers behind WannaCry

As users across the world recover from one of the largest cyber attacks in history, a global manhunt is now underway to track down those who unleashed the WannaCry ransomware.

WannaCry exposed security weaknesses that had been discovered by the US National Security Agency, but who actually launched the attack remains cloaked in mystery.

Speaking to the BBC, head of research at security company F-Secure, Mikko Hypponen, said: “We’re tracking over 100 different ransom Trojan gangs, but we have no info on where WannaCry is coming from.”

The first iteration of WannaCry surfaced on 10 February and was distributed through spam emails and booby-trapped websites, but to little effect.

WannaCry Version 2.0, in stark contrast, wrought havoc around the globe, as the malware was modified with the addition of a module that transformed WannaCry into a worm, a form of malware that spreads by itself.

Deciphering and examination of WannaCry’s code has failed to reveal any significant clues, such as strings in executables, signs the malware had been uploaded to online virus scanners such as Virus Total to check for detections before distribution or signature coding of an established group.

The distinguishing characteristics which have been identified so far are that WannaCry is attacking machines using Cyrillic script – leading some to infer that the malware is not Russian in origin – and the code contains a time stamp running 9 nine hours ahead of GMT, indicating it could have been created in Japan, Indonesia, the Philippines or far eastern parts of China and Russia.

There are also some hints that WannaCry could have been the work of a new group. The authors failed to register the domain included within its core code. This allowed security researcher Marcus Hutchins to register and take control of the domain, and halt WannaCry’s spread.

Of course, these clues could have been left intentionally to distract and divert investigations. So following the money trail created by the sending and receipt of ransom money maybe the best hope of finding the hackers behind WannaCry. Bitcoin isn’t 100% anonymous – every transaction is logged and publicly recorded on the blockchain.

At present, the total amount of ransom money paid to the hackers stands at more than $50,000 (£39,000).