After nearly three months of the WannaCry ransomware outbreak, hackers have now finally started to move money from their digital wallets. The ransomware attack had affected businesses in over 150 countries, including a chaotic attack on UK's NHS and Spain's Telefonica.
Over $143,000 worth of bitcoins paid by victims of the WannaCry ransomware have been removed from three bitcoin wallets that are known to be associated with WannaCry. While cybersecurity experts advised victims not to pay the ransom money, apparently many did pay up to get their data back.
WannaCry cashout starts - law enforcement follows the money trail
WannaCry outbreak affected a number of businesses as hackers locked up data and demanded ransoms. Law enforcement and the security community believes that nearly 300,000 computers were targeted in the WannaCry attack. Victims were asked to pay between $300 and $600 to get the access to their systems back.
Tracking companies have reported that the attackers have been moving funds between July 24 and August 3 from the three wallets that have been associated with the ransomware. In total, around $143,000 (52.2 BTC) worth of bitcoin was withdrawn according to Elliptic, a London-based startup that helps law enforcement track down criminals using cryptocurrency. The company confirms that the last withdrawal made at 3:25 am on Thursday cleared all the money from the wallets that was sent by WannaCry victims, as the balance of all of the wallets is now zero.
The cryptocurrency tracking firm believes that the criminals are now converting this money into Monero. "We're following the movement of funds being sent out of the WannaCry wallets," Elliptic co-founder Tom Robinson told CNBC.
"We believe some of these funds are being converted into Monero, a privacy-focused cryptocurrency. We continue to work with law enforcement to support their efforts in tracing ownership of these funds."
Criminals also get a 20% bonus thanks to bitcoin split
The recent bitcoin split also helped WannaCry hackers get an extra 20% on top of the $143,000 worth of their extorted bitcoins. The spilt broke bitcoin into two cryptocurrencies: bitcoin and bitcoin cash. With this split, everyone received the same number of coins that they had in bitcoin in the new bitcoin cash currency too.
With ~50 BTC in their accounts when they cleared these three wallets, hackers would get around $143,000 if they decide to liquidate these coins, and then $25,000 from 50 bitcoin cash coins, as well.
However, WannaCry hackers might find it difficult to surreptitiously liquidate their coins. The ransomware attack has been previously linked to North Korea and is believed to be politically driven. Law enforcement is closely monitoring the movements and even though it was previously believed that bitcoin is anonymous, latest arrests and the takedown of dark net marketplaces has made it clear that it is anything but.
Hackers could also pay for dark web services to "leave less of a digital paper trail," Andy Patel of F-Secure told BBC. "I wouldn't imagine that they are going to try and turn those bitcoins into real money. If they do, it's going to give someone a way to track them to an actual person."
Powered by a leaked NSA exploit, WannaCry started a new streak of ransomware attacks that was followed by the Petya outbreak. Last week at the Black Hat conference, Google revealed that 95% of all ransomware payments were cashed out via BTC-e. The major bitcoin exchange is currently offline after its alleged Russian founder was arrested in Greece. Many hope that these arrests and the possibility of LEAs tracking the coins back to the WannaCry culprits would put a temporary stop to the exponentially developing ransomware industry.