DAVID GREENE, HOST:
Two cybersecurity firms say they have found some technical similarities between the WannaCry ransomware and earlier attacks from hackers in North Korea, though they are not calling these clues proof that North Korea is behind the worldwide attacks that began last week. Other experts are saying that they are puzzled by WannaCry. As NPR's Martin Kaste reports, they say the ransomware actually contains some pretty amateurish flaws.
MARTIN KASTE, BYLINE: Nick Selby's a police detective in Texas who specializes in cybercrime. He says the cops have a decent shot at catching certain kinds of online scammers - say, that guy selling the too-good-to-be-true car on Craigslist. But when it comes to ransomware, that's tougher.
NICK SELBY: It tends to be a crime that is born on the Internet, is born through tips that are sold on a dark web that already prebuild in anonymity of the perpetrators.
KASTE: And that's what the experts think they're seeing here with WannaCry. Somebody is using software tools that were created by somebody else. Paul Burbage is a malware researcher for Flashpoint-Intel.
PAUL BURBAGE: The ransomware itself - we have seen that in the wild before, and it's not that sophisticated.
KASTE: He says the most obvious tip-off is the fact that the malware contained an easy-to-find kill switch, basically a URL address included in the code, which was used to stop the malware's spread.
BURBAGE: The kill switch allowed people to prevent the infection chain fairly quickly. It was kind of a new mistake, if you ask me.
KASTE: And WannaCry has some other deficiencies, too. Sophisticated ransomware usually has an automated way to accept payments from its victims who want to unlock their computers. But Burbage says WannaCry's system seems to be manual. The scammers have to send each victim a decryption code, which isn't very practical for an infection that involves thousands and thousands of computers.
BURBAGE: It leads me to believe that they did not think that it was going to spread as far as it is. You know, I really think that these guys are running scared, and they're probably laying low at this point.
KASTE: And then there's this - so far, at least, the scammers have collected payments from fewer than 200 victims. We know this because they're demanding Bitcoin, and Bitcoin transactions are public. We don't know the scammers' names, but we know the Bitcoin addresses they're using to receive payment - just three addresses. Again, a more sophisticated ransomware would have had the ability to generate a unique Bitcoin address for each victim.
Jonathan Levin is a co-founder of Chainalysis. It's a company that analyzes Bitcoin usage to identify money laundering. He's been watching the Bitcoins accumulating at WannaCry's three addresses. So far, they've collected about $60,000 worth. But those Bitcoins are just sitting there, he says, untouched.
JONATHAN LEVIN: It might be that they don't have another good idea yet about how they want to launder the Bitcoin. Perhaps they're not really set up to take advantage of the success of their campaign so far.
KASTE: Levin says one way to turn dirty Bitcoin into real-world money is to do that conversion in a jurisdiction where the financial authorities turn a blind eye, so the scammers will sometimes have safe zones. Usually it's their home country, where the malware is not allowed to do any damage. He gives the example of a very successful ransomware called locky, which favors Russia.
LEVIN: So if it detects that there is a Russian language on the machine, it actually does not execute and deletes itself.
KASTE: WannaCry, in contrast, does not seem to be playing geographic favorites this way. And Levin says if the perpetrators live in one of the countries that have been hit hard by this - say, in Russia - that would be, as he puts it, an incredibly bad life choice. Martin Kaste, NPR News.
(SOUNDBITE OF FLVKE'S "ZERO STATION")