On Wednesday some very interesting and seemly unrelated events happened in regards to Wannacry. First Marcus Hutchins (AKA @Malwaretech), the security researcher who discovered the kill switch and stopped the spread of Wannacry was arrested whilst returning to the UK from Las Vegas- on suspicion of creating malware (covered here).
But the second event which will be covered in the article related to an event that seemed to of passed most of Twitter and the internet by. The WannaCry wallets from the orchestrators behind the ransomware outbreak (that famously affected companies globally including the NHS), were emptied to the tune of $143,000. Interestingly the Bitcoin generated through ransom payments from the global attack had not been touched until Wednesday.
A twitter bot created by Quartz, to monitor the wallets for payments during the original outbreak, first noticed the activity at 11:10pm ET, according to the twitter account a total of $70,000 was withdrawn from the following three transactions:
7.34128314 BTC ($20,055.52 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/wX2k9pJLNQ
— actual ransom (@actual_ransom) August 3, 2017
8.73261636 BTC ($23,856.48 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/KRxgNpBGgz
— actual ransom (@actual_ransom) August 3, 2017
9.67641378 BTC ($26,434.83 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/CJLiu6cyvr
— actual ransom (@actual_ransom) August 3, 2017
Source QZ.com
The twitter bot the reported only 15 minutes later that the remainder of the monies were moved from the Bitcoin wallets, it is highly likely that these were laundered using a mixing service making it very hard to track the source and destination of the payments through making a high volume of small transactions to a large number of wallets.
Given the orchestrators of the Wannacry outbreak is widely suspected to be the Lazarus Group which have connections to North Korea, the timing and motivation of the BTC exfiltration could be a dig towards Marcus Hutchins, who stopped the spread of the attack, or just a coincidence, at this juncture there is no evidence to call it either way.
But it is also known that Lazarus, in particular, Bluenoroff are a financially motivated group, with the attacks on banks, financial, and trading companies in Bangladesh in 2014 and the now famous $81million Cyber-Heist of the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
In summary, with the attackers behind Wannacry and NotPetya thought by many not to be financially motivated, it seems that even they still could not resist the opportunity to silently move their ill-gotten gains, whist the internet was distracted by other events!
About the author: Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
From a background of threat intelligence, social engineering, and incident response, Stuart Pecks heads up Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.
https://www.linkedin.com/in/itsecurity/
https://twitter.com/cybersecstu
Enjoy Stuart’s talk at Security Scotland Meet Up
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – WannaCry wallet, Bitcoin)
[adrotate banner=”5″]
[adrotate banner=”13″]