Someone on Wednesday began withdrawing Bitcoin from three wallets connected to the WannaCry ransomware attacks.
According to a Twitter bot that tracks the status of each wallet, seven withdrawals were made yesterday starting at around 11 a.m. Eastern time. The wallets contained a little more than a combined $142,000, which was collected as ransom in 383 payments from WannaCry victims around the world.
🚨 7.34128314 BTC ($20,055.52 USD) has just been withdrawn from a bitcoin wallet tied to #wcry ransomware. https://t.co/wX2k9pJLNQ
— actual ransom (@actual_ransom) August 3, 2017
A number of security experts, including those at Kaspersky Lab, have linked the WannaCry attacks to North Korea’s Lazarus Group, an outfit either within that country’s government or acting on its behalf.
The money is a relatively paltry sum given the breadth of the attacks, which were spread out to more than 200 countries. Each of the more than 200,000 computers compromised during and since the attack, which started May 12, were presented with a ransom demand of approximately $300 in Bitcoin in exchange for a decryption key that would unlock any files encrypted during the attack.
WannaCry’s impact globally could have been much worse had a “killswitch” domain not been discovered and registered by U.K. researcher Marcus Hutchins, also known as Malware Tech. In a bizarre twist, Hutchins reportedly has been detained today in Nevada, a week after Black Hat and DEF CON, which he attended. Motherboard reports today that Hutchins the FBI has arrested Hutchins, according to an email from a U.S. Marshal spokesperson. No charges have been made public yet.
Finally located @MalwareTechBlog, he's in the Las Vegas FBI field office. Can anyone provide legal representation?
— Andrew Mabbitt (@MabbsSec) August 3, 2017
Hutchins stopped the WannaCry outbreak after he saw the malware beacon out to a hardcoded URL. The malware, Hutchins discovered, would not execute if the URL responded. Researchers theorized that a response from this URL back to the malware would indicate that it was likely executing in a sandbox and it would terminate.
Hutcins registered the domain, at the time not knowing what the impact might be. His action and those of other researchers who registered similar domains found in subsequent variants blunted the impact of WannaCry.
The fact now that the money is being moved out should heighten white-hat and law enforcement interest in WannaCry once again. The attackers’ next step would be to convert the Bitcoin into another currency without getting caught, essentially laundering it first.
Kaspersky Lab Global Research and Analysis Team researcher Brian Bartholomew said the process is simple, starting with the use of a tumbler or mixer service that would launder dirty Bitcoin, and send clean coins to a new destination wallet, all for a small transaction fee.
“Mixers perform this task in a variety of ways, but most maintain a clean cache and a dirty cache,” Bartholomew explained. “Coins coming in from multiple customers are combined together and small portions are then transferred around multiple wallets, ending up in the clean cache. If the customer requesting the service uses a new ‘unknown’ wallet, the transaction is virtually untraceable (aside from direct law enforcement involvement usually). Once the new wallet receives the clean coins, they can then be cashed out via any number of exchanges.”
Forbes, meanwhile, reports that the attackers are using a Swiss cryptocurrency exchange called ShapeShift to convert their Bitcoin to Monero, an open source cryptocurrency markets itself as untraceable currency.
