WanaCry wallets are growing

konkisko

Level 1
Thread author
Verified
May 13, 2017
21
As it was said, on Monday many workers will come to work and find their computers encrypted. I wanted to check if they will pay hackers. I had a look on three Bitcoin wallets of WanaCry and noticed that during Monday the amount of money significantly increased.
One of the wallets even increased by almost a half before the noon.
upload_2017-5-15_11-47-7.png


upload_2017-5-15_11-48-11.png


upload_2017-5-15_11-48-45.png


upload_2017-5-15_11-47-7.png upload_2017-5-15_11-48-11.png upload_2017-5-15_11-48-45.png
 

konkisko

Level 1
Thread author
Verified
May 13, 2017
21
It's really saddening to know that people and institutes have no other option (hinted in the above post) than to pay'em.
@konkisko did you manually verify this from alert screen addresses or this is from an external source? Can you share the source then?
Hi! As all Bitcoin transactions are open, we can see how much bitcoins received each wallet. So data for the WanaCry wallets can be found here:
Bitcoin Address 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Bitcoin Address 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Bitcoin Address 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Hi! As all Bitcoin transactions are open, we can see how much bitcoins received each wallet. So data for the WanaCry wallets can be found here:
Bitcoin Address 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Bitcoin Address 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Bitcoin Address 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Yeah, I know about that. I just wanted to confirm whether the data you shared is a part of some article/blog/report or you've extracted the addresses from those nasty WannaCry popups and tried yourself..

At this moment they got in total 30.14 BTC, which is 50,233 USD.
My opinion is that for such a big ransomware it is not a big amount, although
There must be more addresses won't there be?
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Alright, found an official quote on the same at CNBC:
James Smith, CEO of Elliptic, a London-based start-up that helps law enforcement agencies track criminals using the cryptocurrency, said his company had uncovered that since Friday, around $50,000 worth of bitcoin payments have been made to the hackers by 7 a.m. ET on Monday. This was up from $45,000 at 4 a.m. ET.

"We have seen the number of payments start to go up today," Smith told CNBC Monday.

After 72 hours from when the attack started on Friday, the hackers said the fine would double to $600, and after seven days, the files would be permanently locked.

One of the major reasons for the slow payments is perhaps because many people wouldn't know how to obtain and pay in bitcoin. Obtaining large amounts of the cryptocurrency might take some time, and then setting up an account via a bitcoin wallet and exchange would also require a long onboarding process.
There can thus be a sudden rise, huge or small, when the payers get things clear or when the time limit of getting back files nears or before ransom amount increases (if)..

Thanks for the linked details you shared @konkisko.

Found some interesting difference about its payment -
"Unlike its competitors in the ransomware market, WannaCry doesn't seem to have a way of associating a payment to the person making it. Most ransomware … generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then … wait."
 
Last edited:

konkisko

Level 1
Thread author
Verified
May 13, 2017
21
Alright, found an official quote on the same at CNBC:

There can thus be a sudden rise, huge or small, when the payers get things clear or when the time limit of getting back files nears or before ransom amount increases (if)..

Thanks for the linked details you shared @konkisko.

Found some interesting difference about its payment -
You are mostly welcome.
Yeah, I also think that there will be a rise in payments upon the time limit. It will be very interesting to watch it.

Alright, found an official quote on the same at CNBC:

There can thus be a sudden rise, huge or small, when the payers get things clear or when the time limit of getting back files nears or before ransom amount increases (if)..

Thanks for the linked details you shared @konkisko.

Found some interesting difference about its payment -

That is funny yeah. If people will not get their files decrypted, then at least it will be a lesson for them and will teach them to treat computer security better.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Malcoders behind the ransomware wants Bitcoin because it is common opinion that Bitcoin is not trackable.
But it is traceable as regular money. Indeed, thanks to the use of the Bitcoin we know exactly how much WanaCry criminals have earned. If they accepted regular money to put in an anonymous banking account, maybe we wouldn't know anything.
 

konkisko

Level 1
Thread author
Verified
May 13, 2017
21
Malcoders behind the ransomware wants Bitcoin because it is common opinion that Bitcoin is not trackable.
But it is traceable as regular money. Indeed, thanks to the use of the Bitcoin we know exactly how much WanaCry criminals have earned. If they accepted regular money to put in an anonymous banking account, maybe we wouldn't know anything.
Is it even possible to trace if criminals use coin mixers and tumblers?
 
  • Like
Reactions: frogboy

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Is it even possible to trace if criminals use coin mixers and tumblers?
Sure, Bitcoin Mixing prevents to track your payments severing the links between your old address and the new address by sending Bitcoin from you to other people and Bitcoin from them to you. It also randomizes the amount of the transaction and adds some delays to the same transactions.

But it requires a provider that offers the Mixing Bitcoin service.
Probably this provider may keep track of your transactions and communicate them to the authorities in case of criminal activity.


Tumbling is a form of “washing” of Bitcoin that attempts to break the public connections between you and your Bitcoins.
Your Bitcoins will move from your wallet to LocalBitcoins (or any other wallet or exchanger) and then go to the thumbler's portfolio and then to the marketplace's portfolio.

But the Tumbling service and the market will retain a percentage of the coins transferred as fees. To be precise, the Tumbler takes a commission on the amount transferred, while the market takes a small percentage of the purchase price.
Probably about 10%, then: are the criminals willing to lose a percentage of their earnings?
 

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
Sure, Bitcoin Mixing prevents to track your payments severing the links between your old address and the new address by sending Bitcoin from you to other people and Bitcoin from them to you. It also randomizes the amount of the transaction and adds some delays to the same transactions.

But it requires a provider that offers the Mixing Bitcoin service.
Probably this provider may keep track of your transactions and communicate them to the authorities in case of criminal activity.


Tumbling is a form of “washing” of Bitcoin that attempts to break the public connections between you and your Bitcoins.
Your Bitcoins will move from your wallet to LocalBitcoins (or any other wallet or exchanger) and then go to the thumbler's portfolio and then to the marketplace's portfolio.

But the Tumbling service and the market will retain a percentage of the coins transferred as fees. To be precise, the Tumbler takes a commission on the amount transferred, while the market takes a small percentage of the purchase price.
Probably about 10%, then: are the criminals willing to lose a percentage of their earnings?

Bitcoin ( and it's blockchain implementation ) has an inherent " taint" problem , and falls far short of the original concept as proposed by David Chaum.
BTC transactions would be better described as quasi-anonymous ( if this were not true there would be no need for mixing services ) .

The taint concept comes from paper money , where every person who handled it will leave minute traces that indicate where it has been ,
even DNA !
That taint cannot be washed away , and tumbling and mixing services only serve to obfuscate , they do not entirely remove it .

But it doesn't have to be this way , there are already much better implementations of the ecash concept.
The original work of David Chaum is superb , and I can provide some good links if anyone wants to read more .

BTW , is it just me , or is there a definite smell of script kiddie around this whole episode ?

The amount of money in those wallets is TINY considering the scale of the damage done ...
... pocket change to most Ransomware Scummers ( I prefer that word to " Scammer " )
:)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top