This weekend’s massive cyberattack has made the as-yet unidentified attacker behind it more than $49,000 (£37,900) — but they’re going to have a hard time claiming it.
On Friday, computers around the world were hit with a devastating piece of ransomware — malicious software that encrypts the victim’s data then demands a bounty ($300, in this case) to unlock it again.
With the help of a leaked software exploit developed by the NSA, it spread to at least 150 countries round the world, wrecking havoc everywhere from Britain’s National Health Service (where it shut down hospitals and cancelled operations) to Spanish telecoms giant Telefónica.
Ransomware bounties are generally paid in bitcoin, a digital currency that keeps its users anonymous. But bitcoin is also traceable — every transaction is written on a public ledger (called the “blockchain”), meaning you can trace any payments throughout the network. Analysis from experts has found that the “WannaCry” ransomware directed ransoms to be paid towards three “wallets.”
By examining these wallets, you can see exactly how much has been paid so far. As of writing, it’s $49,603-worth of bitcoin, with new payments coming in regularly, and no attempts to more the funds or cash out yet.
— Ransom Tracker (@ransomtracker) May 15, 2017
This figure is likely to continue to rise as people come into the offices around the world on Monday and turn on already-infected infected computers for the first time.
So has the unknown attacker just made a cool fifty grand? Not necessarily. Information security professionals across the globe are watching the three wallets like hawks, and are certain to try and track it wherever it goes. (It hasn’t been touched so far.)
And then there’s law enforcement, who — because of the sheer scale of the attack — are going to be seriously motivated to get to the bottom of it.
“There is definitely a sweet spot for leveraging online crimes. You want to use scale to make money, not enough scale to get LE [law enforcement] to wake up,” Facebook’s chief security officer Alex Stamos tweeted on Saturday.
“‘Hospitals can’t operate’ is the kind of fact pattern that changes the calculus on assumptions like ‘I’ll never get extradited’.”
He went on: “You see this most often in issues involving child safety, where intentionally obstinate countries all the sudden rediscover LE capabilities. Won’t name names, but there is a TLA police force that can never find their domestic hackers, but for kidnapping becomes terrifyingly good. In the end, many cops are parents, no matter their political masters. Will be interesting to see if this situation triggers same impetus. This has also potential to kick in quiet IC/LE [intelligence community/law enforcement] cooperation. Much easier to hide cryptocurrency tumbling from Met Police than GCHQ.”
Or as ABC contributor Patrick Gray tweeted: “Whoever did this just became a global LE priority. They’d be well advised to just publish decryption keys and walk away. For real. Also, these attackers might not realise that telcos and hospitals are critical infrastructure. That makes it official SIGINT agency business.
He added: “So it won’t just be the FBI coming after them, but NSA/GCHQ/GCSB/ASD/CSE as well. That’s not a recipe for a peaceful life.”
In other words, the WannaCry attack has, in a strange way, been too successful.
Had it just been another moderately effective ransomware campaign, it might have flown under the radar. It certainly wouldn’t be receiving the global coverage this weekend’s attack has. But once it started forcing children’s ambulances to get redirected, it changed the game.
May 15, 2017 at 06:21PM
from Rob Price