WannaCry crooks cash out their ransom

When the WannaCry malware came out, it had two major functions: it was a worm, so it spread from computer to computer automatically, and it was ransomware.

The fee it demanded was typically $300, converted into Bitcoin (BTC) and sent to one of several bitcoin addresses.

Bitcoin is sort-of anonymous: in particular, a bitcoin address doesn’t include your name, or an account number, or any other PII (personally identifiable information).

But the amount of money attached to a bitcoin address is a matter of public record – indeed, the Bitcoin transaction ledger, or blockchain, has to be public to ensure that there is an unmodifiable history to stop anyone claiming bitcoins they don’t own, or spending the same bitcoin twice.

In other words, once a bitcoin address is connected to a specific event, such as a ransomware outbreak, anyone can track how much money is coming in and going out, even though the account holder is unknown.

To the likely surprise of the crooks, most WannaCry victims refused to pay, so that the crooks’ bitcoin wallets were plump but not bulging, topping out at about $150,000 by the end of the malware outbreak.

After the malware died down, the crooks left those bitcoins alone, perhaps fearing the attention that withdrawals from the tainted wallets might attract.

Until… a Twitter account that was keeping an eye on the WannaCry revenue reported a series of withdrawals leaving the balance at $0.

What next?

We don’t know, and we might never find out the who or why if the withdrawals are successfully laundered.

In the case of bitcoin this is typically achieved using a so-called “tumbler” service.

For a fee, tumblers shunt bitcoins through a random sequence of accounts, rather like Tor shunts your network trafic through a random set of computers to disguise what’s really going on.

Criminals use them because, if law enforcement can link a wallet known to have been involved in a crime to another action online that reveals a sliver of the owner’s PII, then they have a chance of unmasking the crooks.

Journalist Patrick O’Neill of CyberScoop is reporting that rather than being tumbled, the ill-gotten bitcoins have been converted into another cryptocurrency, Monero, on the ShapeShift.io exchange.

Unlike Bitcoin, Monero keeps the sending address, receiving address and amount of each transaction secret.

O’Neill reports that the exchange has now blocked the addresses used by WannaCry and is “engaging and assisting law enforcement”.

Curiouser and curiouser, said Alice.

from Naked Security – Sophos http://bit.ly/2wtwW8E

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s