WannaCry hackers have not withdrawn any ransom bitcoin, surveillance shows
With the help of leaked software developed by the National Security Agency (NSA), malicious ransomware called the Wanna Decryptor – or WannaCry – spread to 150 countries.
It wreaked havoc on systems belonging to Britain’s National Health Service (NHS), where hospital computers were shut down and operations cancelled. Other victims included a Spanish telecommunications company and a Russian cell phone operator.
The malware instructs people to pay up to £460 to one of three bitcoin addresses in order to retain their files, and also displays a countdown clock giving a deadline for the payments.
The hackers, who have locked files on 200,000 computers worldwide, have only made around $500,000 so far, despite the magnitude of the attack. Britain’s National Crime Agency (NCA) is urging victims not to pay the ransom.
Nothing has yet been withdrawn from any of the bitcoin accounts, and law enforcement agencies watching them say the perpetrators could be difficult to trace until they access some of the ransom money.
Ransomware bounties are usually paid in bitcoin, a digital currency that keeps its users anonymous. Bitcoin is also traceable, however, as every transaction is tied to publicly-accessible accounts, typically called wallets. The wallets show each payment that victims have sent in hopes of regaining access to their files.
New payments are coming in regularly, according to Ransom Tracker, a Twitter bot that is sending out automated messages and posting every time a payment is made to one of the three bitcoin addresses.
Oliver Gower, the deputy director of the NCA’s national cybercrime unit, has vowed to track down the hackers.
“Cybercriminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice,” he told the Times.
Rob Wainwright, the director of Europol, told the newspaper that security officials believe the hack is the work of criminals, rather than a state-sponsored attack.
“Our working assumption, as with every other major ransomware attack, is that this is a cybercriminal attack. Unless we have something definitive to point us in another direction that’s our assumption at the moment. As in any investigation, we keep our mind open.”