In the case of the ransomware that was unleashed Friday and is known as WannaCry, Wcry or Wanna Decryptor, it was quickly determined that updating Windows software with the latest security patch was enough to inoculate computers that had not been infected.
Then the forensic work begins, with agents looking for digital fingerprints.
Because of the highly technical nature of these investigations, private data security teams can be expected to help in the search. That includes working directly with law enforcement to uncover clues left behind by the attackers, as well as tracking the virus and its effects separately to protect their corporate clients. These firms have been instrumental in solving some cases.
Then the forensic work begins, with agents looking for digital fingerprints.
Because of the highly technical nature of these investigations, private data security teams can be expected to help in the search. That includes working directly with law enforcement to uncover clues left behind by the attackers, as well as tracking the virus and its effects separately to protect their corporate clients. These firms have been instrumental in solving some cases.
In the WannaCry case, the phishing emails sent by the criminals with the infected link are a key piece of evidence. Patricia Lewis, the international security research director at Chatham House in London, likened the text of the email to a physical letter and its metadata to the envelope it arrives in.
“An envelope has a lots of information on it: the stamp with the time and place it was sent from, the handwriting or printer type, a sender’s address, maybe a fingerprint or DNA from saliva on the seal,” Ms. Lewis said.
Criminals are aware their emails contain revealing clues, and they try to cover their tracks. “People use cloakers, which hide your identity, making you look as if you are someone and somewhere else,” she said.
“An envelope has a lots of information on it: the stamp with the time and place it was sent from, the handwriting or printer type, a sender’s address, maybe a fingerprint or DNA from saliva on the seal,” Ms. Lewis said.
Criminals are aware their emails contain revealing clues, and they try to cover their tracks. “People use cloakers, which hide your identity, making you look as if you are someone and somewhere else,” she said.
Like tracing the license plates of a stolen car back to the wrong person, this can lead investigators astray. “But a good detective can track them,” Ms. Lewis said. “They always leave digital bread crumbs that can be followed.”
Investigators will check whether the email address the malware came from is linked to social media accounts, past cybercrimes or other locations on the web. They will study the domain name it is linked to. And they will look for patterns to try to connect one crime to others.
Success often depends on whether law enforcement can tie small digital details, including potential mistakes or a certain style in the programming code, back to the criminals. The location of where some of the ransom money is withdrawn can also help connect the dots.
Investigators will check whether the email address the malware came from is linked to social media accounts, past cybercrimes or other locations on the web. They will study the domain name it is linked to. And they will look for patterns to try to connect one crime to others.
Success often depends on whether law enforcement can tie small digital details, including potential mistakes or a certain style in the programming code, back to the criminals. The location of where some of the ransom money is withdrawn can also help connect the dots.
Sometimes the patterns that lead investigators to their target can be surprising. One state-sponsored hack was traced to Russia because detectives noticed those responsible were online only from 9 a.m. to 5 p.m. Moscow time, Ms. Lewis recalled. In another case, hackers were observing Chinese holidays.
When Sony was hacked, officials linked the malware that was used to one that had been used before in North Korea. “That was a big clue,” Ms. Lewis said. “But of course it could have been deliberately planted.”
In the recent hack of the political campaign of the new president of France, Emmanuel Macron, for instance, security experts were able to link the registration of certain website domains used in the attack to Russian hackers.
Investigators in the latest attack are looking for clues in the ransom notes written in more than 20 languages. Some suggested that the assailants might have connected to China because the Mandarin version of the text was better written than its English equivalent.
Once equipped with enough identifying data to start narrowing down suspects, investigators will go undercover to listen to the chatter on technology boards where cybercriminals are known to spend time. “It's like using an undercover operative purporting to be part of a criminal gang, except it's online,” Mr. Inkster said.
“Half the dark web are cyberagents these days,” Ms. Lewis joked. “They're tripping over each other.”
When Sony was hacked, officials linked the malware that was used to one that had been used before in North Korea. “That was a big clue,” Ms. Lewis said. “But of course it could have been deliberately planted.”
In the recent hack of the political campaign of the new president of France, Emmanuel Macron, for instance, security experts were able to link the registration of certain website domains used in the attack to Russian hackers.
Investigators in the latest attack are looking for clues in the ransom notes written in more than 20 languages. Some suggested that the assailants might have connected to China because the Mandarin version of the text was better written than its English equivalent.
Once equipped with enough identifying data to start narrowing down suspects, investigators will go undercover to listen to the chatter on technology boards where cybercriminals are known to spend time. “It's like using an undercover operative purporting to be part of a criminal gang, except it's online,” Mr. Inkster said.
“Half the dark web are cyberagents these days,” Ms. Lewis joked. “They're tripping over each other.”
One of the most challenging new developments for investigators is the use of Bitcoin, a digital currency with little oversight.
In the latest attack, the criminals demanded ransoms ranging from $300 to $600, to be paid in Bitcoin.
Bitcoin accounts, or wallets, are extremely difficult to trace. While law enforcement agencies have cracked cases by tracking Bitcoin transactions, the process is arduous.
It could take months, if not years, for law enforcement agencies to pinpoint the identity of the attackers.
Ultimately, in the world of computer, as in the physical world, investigators rely on criminals to make a mistake.
As Adam Malone, a former cyberagent for the F.B.I. put it, “A lot of times we catch bad guys because they get sloppy.”
In the latest attack, the criminals demanded ransoms ranging from $300 to $600, to be paid in Bitcoin.
Bitcoin accounts, or wallets, are extremely difficult to trace. While law enforcement agencies have cracked cases by tracking Bitcoin transactions, the process is arduous.
It could take months, if not years, for law enforcement agencies to pinpoint the identity of the attackers.
Ultimately, in the world of computer, as in the physical world, investigators rely on criminals to make a mistake.
As Adam Malone, a former cyberagent for the F.B.I. put it, “A lot of times we catch bad guys because they get sloppy.”
