Sophos Cloud Optix
When the WannaCry malware came out, it had two major functions: it was a worm, so it spread from computer to computer automatically, and it was ransomware.
The fee it demanded was typically $300, converted into Bitcoin (BTC) and sent to one of several bitcoin addresses.
Bitcoin is sort-of anonymous: in particular, a bitcoin address doesn’t include your name, or an account number, or any other PII (personally identifiable information).
But the amount of money attached to a bitcoin address is a matter of public record – the Bitcoin transaction ledger, or blockchain, is public, and tells you the sending address, the receiving address and the amount of each transaction.
In other words, once a bitcoin address is connected to a specific event, such as a ransomware outbreak, anyone can track how much money is coming in and going out, even though the account holder is unknown.
To the likely surprise of the crooks, most WannaCry victims refused to pay, so that the crooks’ bitcoin wallets were plump but not bulging, topping out at about $150,000 by the end of the malware outbreak.
After the malware died down, the crooks left those bitcoins alone, perhaps fearing the attention that withdrawals from the tainted wallets might attract.
Until… a Twitter account that was keeping an eye on the WannaCry revenue reported a series of withdrawals leaving the balance at $0.
https://twitter.com/actual_ransom/status/893297013328138242
What next?
We don’t know, and we might never find out the who or why if the withdrawals are successfully laundered.
In the case of bitcoin this is typically achieved using a so-called “tumbler” service.
For a fee, tumblers shunt bitcoins through a random sequence of accounts, rather like Tor shunts your network trafic through a random set of computers to disguise what’s really going on.
Criminals use them because, if law enforcement can link a wallet known to have been involved in a crime to another action online that reveals a sliver of the owner’s PII, then they have a chance of unmasking the crooks.
Journalist Patrick O’Neill of CyberScoop is reporting that rather than being tumbled, the ill-gotten bitcoins have been converted into another cryptocurrency, Monero, on the ShapeShift.io exchange.
Unlike Bitcoin, Monero keeps the sending address, receiving address and amount of each transaction secret.
O’Neill reports that the exchange has now blocked the addresses used by WannaCry and is “engaging and assisting law enforcement”.
Curiouser and curiouser, said Alice.
Pretty sure if the name attached to these transactions is uncovered, it’ll be DB Cooper.
I think it’s misleading to say the Bitcoin blockchain has to be public in order for everyone to verify the Bitcoin transactions. The transparency of the bitcoin ledger was simply a decision made by the developers. Look at Monero for instance, public ledger with built in privacy.
Yes, you’re right – I’ve changed it.
When I read it back I found my original paragraph about the Bitcoin blockchain rather wordy anyway – so I got two improvements for the price of one…thanks 🙂