Petya 2.0? Or PetWrap? Or NotPetya? Is This the New Normal in Cyber Security?

Updated July 6, 2017, 11:51 AM PT

When the latest massive global cyber attack first hit on June 27, the security community observed that the payload behavior closely matched Petya ransomware, which emerged back in 2016, so we initially called this a variant. However, SonicWall Capture Labs researchers confirmed that this is definitely not Petya ransomware. In fact, it masquerades as ransomware but there is no boot sector decryption capability, so in reality this is a wiper-like attack which is generally used as a cyber weapon for targeted system destruction. At this point, the malware is being referred to as  NotPetya, ExPetr, Nyetya, PetWrap or GoldenEye.

Like WannaCry, this latest attack propagates using EternalBlue, one of the exploits that was leaked from the NSA back in April, which has led to comparisons between the two. The origins are still in dispute, but our position is that regardless of whether it is a cyber crime or a state sanctioned attack, the capacity to inflict not only financial but also brand and operational damage to organizations around the world is enormous.

What we see is that the cyber arms race continues to evolve. If I were to boil this down to its essence, cyber criminals are combining exploits and attacks in creative ways that are not necessarily brand new, but can be tweaked and combined in new ways to create very effective attacks. Like mixing cocktails, the ingredients are all well known, but the exact mix is completely new.

SonicWall Capture Labs confirmed in a SonicAlert issued on June 27 that customers had been protected from this cyber attack through both our intrusion prevention service as well as the SonicWall Capture network sandbox prior to the attack. Gateway AV signatures were also added after we analyzed the payload to detect and protect against the modified ransomware. Stay tuned for more updates from SonicWall as this situation unfolds.

What the attack looks like:

Petya Lock Screen

Petya Payment Screen

Information for SonicWall customers

SonicWall provides protection from this latest attack in a variety of ways for customers with both next-generation firewalls and email security solutions. Here is a breakdown of the protection details.

SonicWall Intrusion Prevention Service – prevents propagation of known malware

  • Existing protection against the NSA EternalBlue exploit of the SMB1 protocol, originally deployed to our firewalls in April 2017, continues to be effective at blocking the malware propagation.
  • No new signatures necessary.

SonicWall Gateway Anti-Virus Service blocks known malware at the gateway

  • We released new signatures to cover the modified payload on June 27. The following have been pushed to all firewalls.
    • GAV: GoldenEye.A_5 (Trojan)
    • GAV: WisdomEyes.A_2 (Trojan)
    • GAV: GoldenEye.A_4 (Trojan)
    • GAV: Petya.A_8 (Trojan)
    • GAV: Petya.AA (Trojan)

SonicWall Capture ATP Network Sandbox Service

  • Detects unknown zero-day malware
  • Capture customers had protection at time zero since the multi-engine sandbox detected the modified Petya payload.
  • Any customers using our Block until Verdict feature was protected in the case that the attack came in through a method other than EternalBlue.

SonicWall Email Security

The best defense against modern malware attacks includes:

  • SonicWall next-generation firewalls with gateway anti-virus and intrusion prevention services
  • SonicWall Capture ATP, our multi-engine cloud sandbox that is designed to address the 1% of new attacks that have not been seen before
  • SonicWall’s Deep Learning Algorithm, which learns from over 1,000,000 sensors deployed around the globe, with the ability to push out real-time updates within minutes. Deep learning is helping us with the speed of detection and identification as well as the ability to create protection and push to the Capture Threat Network.
  • Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks.
  • SonicWall Email Security which uses malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65% of all ransomware attacks happen through phishing emails, so this also needs to be a major focus when giving security awareness training.
  • Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Apply the latest Windows patches provided by Microsoft, especially the MS17-0170 patch.
  • Block incoming requests to ports 135, 139, and 445 on your Windows firewall. Also disable SMBv1 on Windows machines.
  • Train your users to shut off their computer if they suspect a malware infection.
  • And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

Locky, Then WannaCry, Now Petya. Is This The New Normal in Cyber Security?

Updated June 28, 2017

As I type this, news reports continue to roll in about yet the latest massive global ransomware attack. This time, the payload appears to be a ransomware called Petya. SonicWall Capture Labs identified the original Petya variants in 2016. However, this time it appears to be delivered by Eternal Blue, one of the exploits that was leaked from the NSA back in April. This is the same exploit that was used in the WannaCry attack.

Infected systems will initially display a flashing skull, followed by a lock screen:

Once again, the cyber arms race continues to evolve. If I were to boil this down to its essence, what we are now seeing is that cyber criminals are combining exploits and attacks in creative ways that are not necessarily new, but still quite effective. Like mixing cocktails, the ingredients are all well known, but the exact mix can be completely new.

Attack details: SonicWall customers are protected

Today, June 27, SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA. Also, on June 27, the Capture Labs Threat Research Team issued a new alert with multiple signatures protecting customers from the new Petya Ransomware Family.

Recommendations for SonicWall customers

As a SonicWall customer, ensure that your next-generation firewall has a current active Gateway Security subscription, in order to receive automatic real-time protection from known ransomware attacks such as Petya. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology:

  • Includes signatures against Petya (part of GAV)
  • Protects against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS)

Since SonicWall Email Security uses the same signatures and definitions as Gateway Security, we can block the emails that deliver the initial route to infection. To block malicious emails, ensure all Email Security services are up to date. Since 65% of all ransomware attacks happen through phishing emails, this also needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.

Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI SSL also allows the firewall to examine and send unknown files to the SonicWall Capture Advanced Threat Protection (ATP) service for multi-engine sandbox analysis. We recommend that you deploy Capture ATP in order to discover and stop unknown ransomware variants. Because of the rapid proliferation of malware variants, SonicWall leverages deep learning algorithms to provide automated protection against both known and zero-day threats. The combination of the SonicWall Capture Threat Network and SonicWall Capture ATP sandboxing provides the best defense against newly emerging hybrid attacks such as Petya. As always, we strongly recommend that you also apply the Windows patch provided by Microsoft to protect against the Shadow Brokers leaked exploits as well.  And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

Is Your K-12 Network Ready to Innovate More? Learn How SonicWall Blocks Ransomware and Encrypted Threats at ISTE 2017

Every day our children, teachers and administrators log into the network at school. How can you ensure the data travelling across that network is secure from hidden threats and attacks such as ransomware? With SonicWall next-gen firewalls and DPI SSL inspection technology, IT administrators can find threats hidden in encrypted web traffic that cybercriminals don’t want you to discover across your K-12 network. This week at ISTE 2017, SonicWall will highlight its automated real-time breach prevention solution, how to leverage our SonicWall Security as-a-Service option, and showcase the advantages eRate offers for upgrading network security. Visit us in booth 2357 from June 26-28 at The Henry B. Gonzalez Convention Center. Your K-12 school district’s security solution needs to perform with x-ray vision by inspecting encrypted traffic to block and detect ransomware attacks with SonicWall Capture ATP. Over 25 years, SonicWall has been protecting school networks around the world. St. Dominic’s School for Girls is one that has been able to innovate more with SonicWall next-gen firewalls.

“SonicWall NGFW has lived up to its promises. We feel very well protected and have not experienced any security breaches or content filtering issues.” – Harry van der Burgt, IT Manager St Dominic’s School for Girls

Let’s take a look at securing your school’s network traffic.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Capture Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

Given the growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not every school does, however, especially smaller ones. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website.

In addition to uncovering encrypted threats, K-12 schools are risk for ransomware attacks. To help protect school networks against the increasing dangers of advanced persistent threats (APTs), SonicWall Capture will be available to demo at ISTE 2017. This cloud-based sandboxing service – available on both firewalls and email security solutions – scans potentially malicious unknown files until a verdict can be reached. This solution is built on multi-layered sandboxing technologies that use both system emulation and virtualization techniques to detect more threats than competitors’ single engine solutions. Customers immediately benefit from fast response times, high security effectiveness and reduced total cost of ownership.

With the volume of cyber attacks increasing in intensity and sophistication, many of our education customers have taken advantage of SonicWall Security-as-a-Service. Our expertly trained partners deliver SonicWall next-gen firewalls to you, so your school network can benefit from the following:

  • Outsourced network security to an experienced security provider
  • Have your Security as-a-Service solution expertly configured by SonicWall-certified engineers
  • Predictable monthly service fee with no upfront costs
  • Next-gen firewall, gateway anti-malware, intrusion prevention, content filtering and Capture.

SonicWall solutions for education deliver real-time breach prevention along with secure remote access that enables your school district to realize and promise of technologically advanced learning environments. Join the team onsite at the booth 2357 including our partner, Securematics. Do more and Fear Less.

Enemy at the Corporate Gate: Why Email Security is More Crucial Than Ever with Dell and SonicWall

Note: This is guest blog post by Bryan Chester, Vice President of North America Partner Software and Imaging Sales at Dell.

Email has long been acknowledged as a business critical application. However, it can expose your organization to devastating sabotage by offering hackers an easily accessible vehicle to exploit vulnerabilities in your organization’s network security.

There are a multitude of repercussions if email-based threats such as ransomware, phishing, or viruses make it into your email servers and users’ inboxes.  Given today’s complex threats, it is crucial that organizations deploy a multi-layered security solution that includes dedicated, leading edge email protection.

Even with the knowledge of that threat, it is becoming increasingly difficult to accurately detect all of the bad emails without creating a bottleneck and dampening your employee productivity. This is especially true for emails containing attachments.

So what can you do to protect your environment at an email level while not slowing down your critical business processes? Dell and SonicWall can help you answer that question.

SonicWall Email Security leverages multiple patented SonicWall threat detection techniques and a unique worldwide attack identification and monitoring network. This next-generation SonicWall Email Security solution protects your organization from today’s most advanced email threats.

SonicWall Email Security includes the cloud-based Capture ATP (Advanced Threat Protection) service that can scan a broad range of email attachment types, analyze them in a multi-engine sandbox, and block dangerous files or emails before they reach your network. Email Security with Capture ATP gives you a highly effective and responsive defense against email threats, all at a low TCO.

SonicWall Email Security features include:

  • Advanced Threat Protection: Integrates Capture cloud-based sandboxing technology for detection of zero-day threats such as ransomware, for fine-grained inspection of SMTP traffic
  • Next-generation Email Protection: Incorporates anti-spam, anti-virus and anti-spoofing functionalities to not only detect and prevent spam and other unwanted email, but also scan email messages and attachments for ransomware, Trojan horses, worms and other types of malicious content.
  • Improved Office 365 Support: Enhances security for multi-tenant environments by providing a method for ensured, mapped delivery of emails for SonicWall Hosted Email Security environments
  • Updated Line of Appliances: Refreshes SonicWall’s line of Email Security Appliances (hardware and virtual options), helping customers to better face threats delivered by email.
  • Encryption Protection: Supports not only SMTP Authentication, but also the encryption service feature enables any email containing protected data to be automatically encrypted, routed for approval or archived.
  • Policy and Compliance Management: Enables an administrator to enact policies that filter messages and their contents as they enter or exit the organization. This allows organizations to meet regulatory requirements based on government legislation, industry standards or corporate governance activities.
  • To learn more download the SonicWall Email Security 9.0 data sheet or view a live demo of the SonicWall Email Security Solution to see all of the latest enhancements.

Reach out to your Dell and SonicWall contacts today to learn more about how SonicWall Email Security can protect your organization by scanning all inbound and outbound email content and attachments for sensitive data, all while delivering real-time protection from spam, phishing, viruses, malicious URLs, spoofing, Denial of Service (DoS), and a myriad of other unknown and sometimes unimaginable attacks.

Ransomware: Are You Protected From the Next Outbreak?

Will you be ransomware’s next victim? Can ransomware encrypt your data and hold it hostage until you pay a ransom?

Organizations large and small across industries and around the globe are at risk of a ransomware attack. The media mostly reports attacks at large institutions, such as the Hollywood Hospital that suffered over a week offline in 2016 after a ransomware attack encrypted files and demanded ransom to decrypt the data. However, small businesses are affected also. In fact, Kaspersky research reported that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over a 12-month period. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Whether you are part of a large organization or a small business, you are at risk.

The recent WannaCry ransomware attack was the largest ransomware campaign ever. In the course of a weekend, WannaCry spread to over 250,000 computers in 150 countries, crippling operations at hospitals, telecom providers, utility companies, and other businesses around the globe.

Once primarily an issue for Windows desktops, ransomware attacks have now occurred across many device types and operating systems, including KeRanger, a ransomware variant that emerged in 2016 that targeted Apple OS X. This variant was hidden in a compromised version of the Transmission BitTorrent client and affected about 6,500 computers within a day and a half.

These attacks often start with an internet file download or email attachment that seems innocuous but actually is hiding malware that encrypts files. End user productivity grinds to a halt and your help desk lights up. Worse, your business can suffer both financially and also from damage to your reputation.

Can your security solutions protect from this threat? Maybe. Legacy security technologies are often signature based, great for detecting “known” malware, but ineffective against “unknown” or zero-day attacks. To better detect unknown threats, security professionals are adding an additional layer of security and deploying advanced threat detection technologies, such as network sandboxes specifically SonicWall Capture ATP, that analyze the behavior of suspicious files and uncover hidden malware. To learn more about what it takes to keep malicious code out of your network, read our whitepaper: Why Network Sandboxing is Required to Stop Ransomware.

Innovate More, Fear Less with SonicWall’s Automated Breach Prevention at Gartner Security & Risk Management Summit 2017

The Gartner Security & Risk Management Summit 2017 runs June 12-14 in the Gaylord National Convention Center, National Harbor, Maryland, promising the insight you need to guide your organization to a secure digital business future. As the world’s leading research and advisory company, Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. SonicWall is proud to be among the premier security, risk management and business continuity management leaders brought together for this major event.

To stay competitive today, organizations need to embrace the benefits of new technology, while managing its risks. Yet as recent headline-grabbing attacks such as WannaCry demonstrate, the global cyber arms race is continually evolving.

SonicWall is committed to enabling you to stay ahead of cybercriminals with cutting-edge security solutions that leverage continual threat updates from our global SonicWall Capture Threat Network. As a result, SonicWall customers were protected from WannaCry weeks before its first public attack. And with our comprehensive, multi-layered security approach, SonicWall is ready to help you secure your organization from the next emerging threat.

Join us at booth 503 to learn about the latest trends in cybercrime, as well as the advances SonicWall and the cybersecurity industry have made to counter them (as outlined in our 2017 Annual Threat Report). Take this opportunity to attend our expert presentations and demonstrations on how to prevent breaches, uncover encrypted threats, stop phishing and ransomware attacks, identify compromised IoT devices and stop threats targeting weak spots in your network.

  • Prevent zero-day and advanced threats. Watch a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, as it scans network traffic in the cloud to prevent threats from entering your network. See how you can block unknown files until Capture reaches a verdict, which is rendered by our Capture Threat Network in near real-time.
  • The majority of web traffic is now encrypted, as well as the malware that it carries. Learn how our Encrypted Threats solutions inspect SSL/TLS traffic to uncover hidden malicious behavior, block C&C communications and stop data exfiltration.
  • Because email is a primary vector for many attacks, you will also want to learn about our revolutionary next-gen Email Security solution to protect email files, stop phishing and block ransomware. Learn how you can block spoofed email and attacks with our hosted service for SMB or via our on premise enterprise email security solutions.

Don’t just detect breaches after they’ve already been in the headlines. We are holding a boardroom session titled: Automated Breach Prevention with Multi-Engine Sandboxing and Encrypted Traffic Visibility. Attendees will learn how to protect users from ransomware and how to deal with the increase of encrypted traffic. SonicWall Capture Labs built a multi-engine cloud sandbox to power the world’s first automated breach prevention platform. It was specifically designed to block the latest ransomware – whether it comes in via clear text traffic or through an SSL/TLS connection.

Let SonicWall help you prevent attacks in real time. Please join us at our “SonicWall Pub” hospitality suite on June 13 5:30-8:30 National Harbor 8 and see how SonicWall can help your organization innovate more, and fear less. Tune in via Twitter #GartnerSEC and follow @SonicWall. If you want a head start, you can play with our security solutions online by visiting our Live Demo site.

Securing Email in the Age of Ransomware and Phishing Attacks

Email security has become a big concern for organizations, thanks to phishing campaigns that deliver ransomware. Recently, there has been no shortage of notable cyber attacks. The Google Docs attack, Docusign phishing attackGannet phishing attack, and Jaff ransomware and its variants were all delivered through phishing emails.  Most recently, the WannaCry ransomware attack was spread through an SMB vulnerability.

According to a survey by the SANS institute, spear-phishing and whaling attacks are increasing dramatically. Spear phishing was identified as the second most significant type of attack (ransomware takes the honors for the top spot).  In the case of spear phishing attacks, cyber criminals are carrying out extensive social engineering activities to gather personal information and craft messages that appear from trusted sources to gain the victim’s confidence.

It is becoming increasingly difficult to accurately detect all bad emails, especially those containing attachments, without slowing down email to such an extent that it impacts employee productivity. In many cases, critical business communications need to be delivered promptly, without any delay or being lost in junk or spam folders. In addition, traditional signature-based technologies are proving to be ineffective in stopping phishing emails that contain malicious payloads such as zero-day/unknown malware and ransomware.

In today’s landscape, an effective email security solution should:

  • Align with and complement your network security solutions
  • Integrate with network sandboxing to scan all you SMTP traffic and email attachments
  • Provide granular administrative control over settings and must be able to set policies such as “Tag a subject line” or “Strip email attachment” in cases where communication is of the utmost importance
  • Feature anti-spoofing authentication mechanisms such as DKIM, SPF and DMARC, to protect against impostor emails
  • Offer encryption and data leakage prevention (DLP) capabilities for outbound protection

Email is the top attack vector, and most cyber attacks typically start with a phishing or spear phishing attack. Almost every organization has deployed some sort of email security solution. However, the threat landscape is constantly evolving and today’s advanced threats are designed to bypass traditional security techniques. Now is the right time to evaluate the currently deployed solution and analyze gaps in your security posture. To reduce risk exposure, email security must use a multi-layered approach. Read our solution brief to learn about the critical capabilities of next-generation email security here.

Did WannaCry Perpetrators Ever Get Their Ransom?

Cyber criminals prefer to receive ransom in the cyber currency Bitcoin because it is anonymous. The truth is “sort of.” Let’s take a closer look at how Bitcoins work, and how the WannaCry perpetrators, possibly the Lazarus Group, want to be paid.

Bitcoins are different from fiat currencies because, with Bitcoins, no actual coins or bills exist, not even digital ones. With a fiat currency like the dollar, money is represented by actual coins and bills that can be physically stored. Depending on how you pay, your transaction is not recorded or, more often, either recorded anonymously or via an account number, such as a credit card number.

In any case, the number of coins and bills, either in actual money that you have on your hand, or what is recorded on your bank account, are decreased. With Bitcoins, you only have the transaction. Transactions are always public, and can be viewed by anyone. That is right: public, anyone. Anybody can see that money was paid from your account to that of WannaCry. Though, what is different from fiat currencies is that the actual ownership of an account is not necessarily know to anyone. It can be completely anonymous. This is a bit similar to a Swiss number account.

Let’s summarize this, the ownership of an account in Bitcoin may or may not be known to anyone, or generally public. The transaction, however, is always public. Bitcoin tracks transactions in so called Blocks that are linked in a Blockchain. In order to find out how much money somebody has, a “wallet” application would have to browse through the entire Blockchain and select out any transaction that involves the owner’s account number(s).

Different from fiat currencies, though, with Bitcoin, account numbers are free and one can have an endless amount of them. If somebody wants to be completely anonymous, they would use a new account number for every single transaction. Wallet or Account software would make it easy to keep track of them.

WannaCry made use of only three hard-coded account numbers:

Why didn’t WannaCry use a new account number for every instance of WannaCrypt0r to be installed? The answer might be: because in order to get the money from a Bitcoin account, one has to first generate the account number/private key pair, AND be in possession of the private key. Without the private key, they could not get their money: if the private key is being generated within WannaCrypt0r it would need to be communicated reliably where the hostage takers would have real-time access to it. That would give the perpetrators away. If the keys are generated somewhere in the cloud, the communication of private keys may be disguised in some layers of Darknet labyrinth, but it would be easy to shut them down by taking the key servers offline which would be easy to sniff. Also using hundreds or thousands of account numbers would not make it necessarily significantly more difficult for security experts to track payments.

The bigger question how can the perpetrators associate payment with a specific instance of WannaCry. With a uniquely generated account number that might be easy. But there does not appear any way to link the two, other than manually via the Contact Us button in WannaCrypt0r. In fact, the function of the Check Payment appears dubious at best. Supposedly, it is supposed to fetch the private key, but there is no public record of anybody ever having received it. The question is whether it actually works.

How would the perpetrators get the money after people paid ransom? Good question. Since transactions are public, we would know the account numbers to which the money is being transferred. In order to exchange the BTC into a fiat currency, the perpetrators would need to go to an exchange that are more and more government regulated. While a small-scale thug might slip through, the likelihood that a group of Lazarus’ size would stay anonymous is small. The WannaCry perpetrators also could exchange their account numbers for different ones in so called Mixer services as well in Account or Wallet services. Again, a small time thief might stay anonymous, but not when the NSA and every other state actor is after you.

In short, it is very possible that the WannaCry perpetrators never get their money. However, at the same time it is very possible that you never get the key either to recover your files. Even worse, your organization will be on the public record for having paid the extortionists, something which is not good publicity.

For so many reasons it is not a good idea to ever pay ransom, but specifically in the case of WannaCry is practically pointless.