Ransomware hackers yet to cash in payments
16 May 2017
The hackers behind Friday's global cyber attack have yet to cash in on their ransom payments, according to the experts helping to track them down.
Chainalysis, a private company based in New York and Copenhagen that works with international law enforcement agencies to track money launderers and cyber criminals, has found that since Friday, 210 payments totalling 56,000 US dollars (£43,407) have been made to decrypt approximately 185 machines.
The single largest amount paid appears to be approximately 3,300 US dollars (£2,558).
However, the hackers have not yet attempted to move the funds that have been paid into three addresses.
There is also currently no evidence that any victims who paid the ransom have received a decryption key.
Jonathan Levin, co-founder of Chainalysis, said this could be because the hackers are inexperienced and unsure how to launder the Bitcoin payments.
He also warned that the malware has only been temporarily stalled.
Chainalysis is currently monitoring the bitcoin payments made to the WannaCry ransomeware hackers in a bid to track them down.
Bitcoin is a virtual currency created in 2009 and is being increasingly used to move criminal proceeds.
Chainalysis provides investigation software to law enforcement around the world to help track Bitcoin payments.
It also works closely with the United Nations Office on Drugs and Crime (UNODC), which is headed up by Northern Ireland man Neil Walsh, and delivers its leading crypto-currency investigation course.
"We estimate that the attackers are relatively unskilled, and are probably unprepared for the impact their malware turned out to have. It is quite possible that they are unsure how to launder the Bitcoin funds safely," the company said.
It added that the result of this attack has been a relatively low payout rate among the infected, which might be due to the lack of credibility for decrypting the files.
The company also said that the geographic spread of the infections is unusual, with many known victims in Ukraine and Russia, countries that are often exempted in ransomware campaigns.
“Due to the attackers’ apparent inexperience, it is not unlikely that they will leave the Bitcoin funds untouched, or that they will try to launder them in an ineffective way. We will certainly keep a very close eye on this particular money trail,” the company said.
Mr Levin said they are actively monitoring the money trail and “would ideally be able to track the payments to the intermediary, who would facilitate the movement from Bitcoin into local currencies”.
“Cyber criminals are normal people with mortgages and lifestyles and don’t generally like sitting on assets as volatile as Bitcoin,” he added.
Mr Levin also warned that although the spread of Friday’s variant of malware has been prevented, other people or the authors themselves could easily re-write and redistribute.
He said: “So the machines that have the vulnerability should be patched because someone could easily start another campaign with no kill switch.
“So I would say that people taking advantage of this particular vulnerability have only been temporarily stalled.”