You are here

WannaCry-linked Bitcoin wallets emptied: analysts

Screenshot showing a WannaCry ransomware demand, provided by cybersecurity firm Symantec.


THE three Bitcoin wallets linked to the WannaCry malware, which hit hundreds of thousands of networks using Microsoft Corp's operating system in 150 countries, were emptied out last week, analysts have confirmed.

In each of the cases, the tokens have been divided into multiple smaller amounts, and sent off to other, various Bitcoin addresses. The wallets contained a total of about 52 BTC, which amount to around US$140,000, explained Rayna Stamboliyska, an independent cyber risk manager, in an email.

"This morning (on Aug 3), between 3.00 and 3.30 am GMT, the three wallets have been emptied and the money split into further ones," she said.

Market voices on:

In May, large-scale ransomware attack dubbed WannaCry spread a malicious software to about 300,000 computers in 150 countries, where access to data was blocked unless a ransom was paid through Bitcoin.

The United Kingdom's National Health Service, FedEx Corp, Nissan Motor Co and Renault were among entities impacted. The fallout for European companies affected in global cyberattacks has proven costly.

Orla Cox, director of security response at Symantec, said there is no way of knowing whether it was the WannaCry attackers, or even law enforcement, that accessed the three Bitcoin addresses.

"These addresses may not represent all of the attackers' earnings as WannaCry can generate unique Bitcoin addresses per infection."

Ms Stamboliyska said the money may have been moved in an effort to obscure its origins, much like laundering. "The whole transaction lot is, however, still fresh, so we digital investigators will need some time to follow these breadcrumbs." Indeed, researchers quickly traced the bounty to its next destination.

"We figured out that the authors of WannaCry 2's ransomware moved Bitcoins they got from the last attack to another cryptocurrency called Monero," said Alberto Ornaghi, a cybersecurity researcher at Milan-based Neutrino, a company specialising in Bitcoin intelligence.

The conversion pattern scheme - using a range of 1-1.5 Bitcoins for each conversion transaction - is the same one used with WannaCry 1 ransomware and the cryptocurrency conversion service used is called, Mr Ornaghi added in a phone interview.  "Knowing the destination of these Bitcoins and the conversion service the WannaCry authors used could allow law enforcement to figure out their real identities," he said. "The conversion is still continuing and we are closely monitoring it." BLOOMBERG