The malware campaign affected more than 200,000 computers in at least 150 countries, locking users out of systems at Chinese government agencies, Deutsche Bahn, automakers Nissan Motor Co. and Renault, logistics giant FedEx Corp., and hospitals around the world. As security experts gain the upper hand in containing the infection, police have begun the hunt for its creators.
“The response is beyond anything I’ve seen before,” said Steven Wilson, the head of Europol’s EC3 cyber crime unit. “The picture is starting to emerge slowly. This could be something that is going to take us a considerable period of time.”
Finding and locking up hackers may be the toughest job in law enforcement. Criminals can use the darkweb — the subterranean layer of the internet untouched by conventional search engines — to disguise their activities, and make use of a complex online ecosystem of black market services that is global in nature. Suspects are often in Eastern Europe, Russia or other hard-to-reach jurisdictions for US or European police. The UK and Russia were among the worst hit, making them the likely leaders in any investigation.
“We are absolutely focused in finding out who the criminals behind this attack are,” said Lynne Owens, director general at the National Crime Agency, known as the UK’s FBI. “At this moment in time, we don’t know whether it’s a very sophisticated network or whether it’s a number of individuals working together,” Owens said in an interview posted on the agency’s website.
Unlike being hacked by clicking on a malicious email or link, the “WannaCry” virus replicated itself, spreading for computer to computer automatically and demanding that computer users pay a ransom in bitcoin, an online currency that is extremely difficult to track. “It takes a colossal amount of time, resource, knowledge, skill and effort to look through all the data and follow it through all the encrypted steps,” said Brian Lord, a former director at the UK’s signals intelligence agency, GCHQ.
Lord, now an executive at security firm PGI Cyber, said it takes “strategic patience” and that law enforcement agencies — with all of their competing priorities and demands — rarely had such qualities.
This time it may be different, given the widespread damage caused by WannaCry, according to Thomas Brown, a former assistant US attorney in New York who supervised a cyber crime unit.
“The wealth of available evidence given the vast scope of the attack, as well as the fact that there will probably be very strong international cooperation in light of the huge number of affected countries (including Russia), indicate that the investigation will be extremely robust,” he said.