The perps behind the ‘biggest ransomware attack ever’ appear to be moving their lootOn August 4, 2017 by Lucius
You’ve infected hundreds of thousands of computers across the globe with your ransomware, and victims’ cryptocurrency payments are flowing into your Bitcoin wallets.
How long should you wait to try and access that cash?
Well, for the perpetrators behind WannaCry, the answer appears to be about two and a half months. We can say this because the three Bitcoin wallets that held the ransomed loot were all suddenly emptied late Wednesday.
And while we don’t know for sure that the same people who unleashed the attack are still in control of the wallets, the profound absence of a statement from law enforcement suggests, at the very least, the accounts haven’t been seized.
You probably remember WannaCry. It hit on May 12, and was soon described by Europol spokesperson Jan Op Gen Oorth in The Washington Post as “the biggest ransomware attack ever.”
The malware locked up victims’ computers, and instructed them to make Bitcoin payments to the attackers’ wallets in exchange for decryption keys. And the money started pouring in.
Sure, the word quickly got out that the attackers weren’t decrypting files, so people eventually stopped paying up. Even so, whoever orchestrated the attack found themselves sitting on approximately 52 Bitcoins — worth around $145,000 at the time of writing.
But that didn’t mean the attackers were suddenly rolling around in a bed of USD. No, if they were going to spend the money and not be traced in the process, they had to figure out a way to safely move it.
That process began on August 2.
The thing about Bitcoin, however, is that it’s only pseudonymous. That is to say, while you may not know who owns it, anyone can see where it goes. And you better believe interested parties around the globe are watching this specific cryptocurrency closely.
The Bitcoin from one WannaCry wallet was sent to three wallets. The Bitcoin in those wallets was sent to more wallets, and so on, and so on. All three WannaCry wallets were broken down in a similar way, with at least some of the Bitcoin finding its way to ShapeShift — a cryptocurrency exchange — along the way.
As some forms of digital currency (Monero, for example) are more privacy-focused than others, it would make sense that the owners of the tainted Bitcoin would try to swap theirs out. It appears they tried to do just that, although ShapeShift caught on.
“ShapeShift, a digital asset change based in Switzerland, has verified that the WannaCry attacker did breach its terms of service and utilized the services to move a portion of their proceeds of crime,” the company said in a statement. “[As] of today, we have taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team, as is our policy for any transactions we deem breach our terms of service. We are closely watching the situation as it continues to unfold as to block any further addresses associated.”
We inquired if the funds had been exchanged for Monero, but a spokesperson declined to “provide more detail due to the ongoing nature of the investigation.”
So why does all this matter? The ransomed cryptocurrency got moved from three pseudonymous accounts to a bunch of other pseudonymous accounts — who cares, right?
Well, while WannaCry is one of (if not the) biggest case of ransomware in history, other attackers will surely come for the throne. And when they do, they’re going to ask for payments in cryptocurrency. What happens to this WannaCry money, and whether the perps get away with it, will either serve as warning or encouragement to those that follow.
And you can bet your last Bitcoin that others will follow.