WannaCry crooks cash out their ransom

Empty suitcase

When the WannaCry malware came out, it had two major functions: it was a worm, so it spread from computer to computer automatically, and it was ransomware.

The fee it demanded was typically $300, converted into Bitcoin (BTC) and sent to one of several bitcoin addresses.

Bitcoin is sort-of anonymous: in particular, a bitcoin address doesn’t include your name, or an account number, or any other PII (personally identifiable information).

But the amount of money attached to a bitcoin address is a matter of public record – the Bitcoin transaction ledger, or blockchain, is public, and tells you the sending address, the receiving address and the amount of each transaction.

In other words, once a bitcoin address is connected to a specific event, such as a ransomware outbreak, anyone can track how much money is coming in and going out, even though the account holder is unknown.

To the likely surprise of the crooks, most WannaCry victims refused to pay, so that the crooks’ bitcoin wallets were plump but not bulging, topping out at about $150,000 by the end of the malware outbreak.

After the malware died down, the crooks left those bitcoins alone, perhaps fearing the attention that withdrawals from the tainted wallets might attract.

Until… a Twitter account that was keeping an eye on the WannaCry revenue reported a series of withdrawals leaving the balance at $0.


What next?

We don’t know, and we might never find out the who or why if the withdrawals are successfully laundered.

In the case of bitcoin this is typically achieved using a so-called “tumbler” service.

For a fee, tumblers shunt bitcoins through a random sequence of accounts, rather like Tor shunts your network trafic through a random set of computers to disguise what’s really going on.

Criminals use them because, if law enforcement can link a wallet known to have been involved in a crime to another action online that reveals a sliver of the owner’s PII, then they have a chance of unmasking the crooks.

Journalist Patrick O’Neill of CyberScoop is reporting that rather than being tumbled, the ill-gotten bitcoins have been converted into another cryptocurrency, Monero, on the ShapeShift.io exchange.

Unlike Bitcoin, Monero keeps the sending address, receiving address and amount of each transaction secret.

O’Neill reports that the exchange has now blocked the addresses used by WannaCry and is “engaging and assisting law enforcement”.

Curiouser and curiouser, said Alice.