On Wednesday some very interesting and seemly unrelated events happened in regards to Wannacry. First Marcus Hutchins (AKA @Malwaretech), the security researcher who discovered the kill switch and stopped the spread of Wannacry was arrested whilst returning to the UK from Las Vegas- on suspicion of creating malware (covered here).
But the second event which will be covered in the article related to an event that seemed to of passed most of Twitter and the internet by. The WannaCry wallets from the orchestrators behind the ransomware outbreak (that famously affected companies globally including the NHS), were emptied to the tune of $143,000. Interestingly the Bitcoin generated through ransom payments from the global attack had not been touched until Wednesday.
A twitter bot created by Quartz, to monitor the wallets for payments during the original outbreak, first noticed the activity at 11:10pm ET, according to the twitter account a total of $70,000 was withdrawn from the following three transactions:
The twitter bot the reported only 15 minutes later that the remainder of the monies were moved from the Bitcoin wallets, it is highly likely that these were laundered using a mixing service making it very hard to track the source and destination of the payments through making a high volume of small transactions to a large number of wallets.
Given the orchestrators of the Wannacry outbreak is widely suspected to be the Lazarus Group which have connections to North Korea, the timing and motivation of the BTC exfiltration could be a dig towards Marcus Hutchins, who stopped the spread of the attack, or just a coincidence, at this juncture there is no evidence to call it either way.
In summary, with the attackers behind Wannacry and NotPetya thought by many not to be financially motivated, it seems that even they still could not resist the opportunity to silently move their ill-gotten gains, whist the internet was distracted by other events!
About the author: Stuart Peck, Head of Cyber Security Strategy, ZeroDayLab
From a background of threat intelligence, social engineering, and incident response, Stuart Pecks heads up Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.