The three bitcoin wallets that are linked to the WannaCry malware, which hit hundreds of thousands of networks using Microsoft Corp.’s operating system in 150 countries, were emptied out Thursday morning, analysts have confirmed.
In each of the cases, the tokens have been divided into multiple smaller amounts, and sent off to other, various bitcoin addresses. The wallets contained a total of about 52 BTC, which amount to around $140,000, Rayna Stamboliyska, an independent cyber-risk manager, explained in an email. "This morning, between 3:00 and 3:30 AM GMT, the three wallets have been emptied and the money split into further ones," she said.
In May, large-scale ransomware attack dubbed WannaCry spread a malicious software to about 300,000 computers in 150 countries, where access to data was blocked unless a ransom was paid through bitcoin. The United Kingdom’s National Health Service, FedEx Corp., Nissan Motor Co. and Renault were among entities impacted. The fallout for European companies affected in global cyberattacks has proven costly.
Orla Cox, director of security response at Symantec, said there is no way of knowing whether it was the WannaCry attackers, or even law enforcement, that accessed the three Bitcoin addresses. "These addresses may not represent all of the attackers’ earnings as WannaCry can generate unique bitcoin addresses per infection."
Stamboliyska said the money may have been moved in an effort to obscure its origins, much like laundering. "The whole transaction lot is, however, still fresh, so we digital investigators will need some time to follow these breadcrumbs."
Indeed, researchers quickly traced the bounty to its next destination.
"We figured out that the authors of WannaCry 2’s ransomware moved bitcoins they got from the last attack to another cryptocurrency called Monero," said Alberto Ornaghi, a cybersecurity researcher at Milan-based Neutrino, a company specializing in bitcoin intelligence.
The conversion pattern scheme — using a range of 1-1.5 bitcoins for each conversion transaction — is the same used with WannaCry 1 ransomware and the cryptocurrency conversion service used is called ShapeShift.io, Ornaghi added in a phone interview.
"Knowing the destination of these bitcoins and the conversion service the WannaCry authors used could allow law enforcement to figure out their real identities,” Ornaghi said. “The conversion is still continuing and we are closely monitoring it."