Hackers Behind Massive Ransomware Attack Have Made an Embarrassingly Small Amount of Money

By Rhett Jones on at

The WannaCry ransomware attack that spread around the globe yesterday caused chaos at hospitals, manufacturing shutdowns, headaches for Microsoft, and overtime for cybersecurity professionals. But the hackers responsible for this absurd attack have made relatively little in the way of profits.

According to an analysis by respected security researcher Brian Krebs, the hackers have thus far only pulled in about $26,000 (around £21,170) for perpetrating what is believed to be one of the largest ransomware attacks in history. With the initial charge to unlock users’ data set at a very reasonable $300 (around £230), the hackers would have to get a payout from a lot of victims to hit the billion dollar figure that some were initially predicting. From Krebs on Security:

According to a detailed writeup on the Wana ransomware published Friday by security firm Redsocks, Wana contains three bitcoin payment addresses that are hard-coded into the malware. One of the nice things about Bitcoin is that anyone can view all of the historic transactions tied to a given Bitcoin payment address. As a result, it’s possible to tell how much the criminals at the helm of this crimeware spree have made so far and how many victims have paid the ransom.

A review of the three payment addresses hard-coded into the Wana ransomware strain indicates that these accounts to date have received 100 payments totaling slightly more than 15 Bitcoins — or approximately $26,148 at the current Bitcoin-to-dollars exchange rate.

Krebs notes that the hackers may have other Bitcoin addresses that researchers are unaware of, but there’s no evidence of that at this time. What’s interesting is that figure divided by 100 payments comes out to $261.84. Unless some other factor is involved, it would appear that the criminals are cutting some people a deal. The page that appears on victims’ screens offers a way for them to contact the hackers, so maybe they’re negotiating? Here’s a low-quality video of the malware in action:

The total ransom figure is still increasing, the New York Times is reporting that $33,000 (around £25,600) has been deposited in the Bitcoin accounts. The ransom is set to double after a few days and the malware threatens to permanently lock victims out of their data after seven days. We could simply be in a holding pattern while victims are scrambling to figure out if there’s another way to recover their data.

As we reported this morning, a young man in the U.K. going by the name MalwareTech stumbled on a kill switch that briefly stopped the spread of the ransomware. According to new reports, the hackers have updated the malware and it’s back in action. With thousands of infections identified in over 100 countries, it will be difficult to get all of the systems patched and put an end to this for good. Some experts believe that WannaCry will likely be around for many years to come.

Only time will tell if the hackers have failed in their endeavor to squeeze a ton of cash out of helpless strangers. It’s possible that we aren’t dealing with particularly sophisticated operators here, but they don’t even need to be. WannaCry/WannaCrypt originates from a set of hacking tools built by the NSA that was dumped online by a group known as the Shadow Brokers. It’s become much easier for novices to weaponise ransomware in recent years and there’s even the option to use what’s known as “ransomware as service.” In that case, anyone can visit a website to order up a piece of ransomware. If the target pays the ransom, the service takes a cut of the bitcoin.

Estimates from 2012 showed that only three per cent of people who were targeted by ransomware paid, but that number has reportedly grown closer to 50 per cent. Researchers from Crypsis Group say the median amount for a requested ransom is about $7,000 (around £5,430). The WannaCry hackers could definitely still bring in a lot of Bitcoin gold.

Information on how to protect yourself can be found here and here.

[Krebs on Security, New York Times, The Hacker News, Redsocks]