Update 15.05.2017: Elliptic has released a WannaCry tracker showing the current balance of the three bitcoin addresses known to be associated with the ransomware (above). The total at the time of writing is $54,000 and counting. See the tracker here.
Original story
It’s the biggest ransomware outbreak in history, claiming 200,000 victims in at least 150 countries – with more expected as the working week begins. But, according to bitcoin experts, the criminals who spread it have made just $49,000 from their demands at the time of writing. Although this seems like a substantial amount of money for little effort, the scale of the attack suggests the yield would be higher.
To put this into perspective, a single hack on banks in 2015 generated a yield thought to exceed £650 million.
Ransomware works by encrypting a user’s files, then displaying a message demanding payment to unlock them. In the case of the NHS cyberattack, the hackers asked for $300 (£231) in digital cryptocurrency bitcoin, then gave several addresses to send the money to.
Read more: A simple guide to Bitcoin
Every bitcoin transaction is recorded in the bitcoin blockchain, which lists all the transactions between addresses. From this, it is possible to track number and total of the amounts transferred – which, at the time of writing, came to a little over $49,000.
“As far as we're aware this is how much they've made from this attack, although it is possible there are addresses we're not aware of,” says Tom Robinson, co-founder of Elliptic, which works with law enforcement authorities to identify illicit activity involving bitcoin. “However, the ransomware addresses we are aware of tally with those mentioned online.”
Payments to the addresses have been rising slowly but steadily ever since the attack. At 12:58 am on Saturday 13 May, Elliptic recorded 45 payments totalling around $15,000. By 10.30 am there were 68 payments totalling approximately $25,000. "We expect this number to accelerate this week, especially as the first deadline for the ransomware expires, after which the ransom doubles," says Robinson.
Elliptic has additionally been tracking a second, related, strain of ransomware, from April, which forced 16 payments, totalling $10,000, out of its victims. Taken together, the two cyberattacks have brought in around $57,000.
There are also a number of smaller payments in the account, some of which, Robinson said, could come from the criminals themselves. “Some of the payments probably aren't from the victims – they are very small payments, which is known as "dusting". This is the digital equivalent of throwing a penny into a thief's pocket.” (It is possible to embed messages in payments, which might be the reason for the payments.)
So far, there has been no attempt to move the proceeds. When there is, it may be possible to track where the money goes, although Robinson warned that “is very difficult,” because criminals can use a range of techniques to cover their tracks – including bitcoin "mixers", or tumblers, which break the connection between a bitcoin address sending coins and the addresses they are sent to.
Yet Elliptic, which has delivered “actionable evidence” to law enforcement agencies in cases involving arms trafficking, money laundering and drug offences, says that if the hackers are going to be caught it will probably be when they attempt to claim their ransoms.
“Identification usually occurs by linking the suspect's transactions to a bitcoin exchange, which would hold identifying information about their clients. These transfers are often seen, as the criminal will usually need to cash out at some point.”
Expand your mind with WIRED's pick of the best podcasts
This article was originally published by WIRED UK
