Group behind WannaCry attack cashes out ransom money

Group behind WannaCry attack cashes out ransom money
© Getty

The group that perpetrated the WannaCry ransomware attack has withdrawn all its funds from the bitcoin accounts used to collect its ransom. 

The withdrawal was first noted by automated systems monitoring the WannaCry bitcoin accounts. Though bitcoin account owners are largely anonymous, bitcoin publicly displays all transactions and balances.  

WannaCry, which famously breached between hundreds of thousands and millions of computers within a short time frame around May 12, was much more adept at being a destructive force than actual ransomware. 


WannaCry created havoc, damaging systems ranging from FedEx and the Spanish telecom Telefonica, to the Ministry of Internal Affairs in Russia. Britain's National Health Service was so affected that hospitals had to turn away patients. 

Ransomware like WannaCry is intended to encrypt files on a victim's computer and charge them for a decryption key. Basic coding errors and strategic blunders limited its effectiveness as a money-making operation. 

By not providing victims individual bitcoin accounts for each payment, there was no way for WannaCry to know which users had paid which ransoms. Coding errors hindered its ability to infect Windows XP systems. And an email account intended to be used in the attack was quickly deactivated by the free email account hosting service. 

In total, WannaCry netted only $140,000, far less than would be expected by the damage it caused. And that number is slightly inflated. The transaction rate of bitcoin changed from around $1800 per bitcoin to $2800 per bitcoin. Had the price remained flat, the ransomware would have made less than $100,000. 

The three bitcoin accounts used by WannaCry were emptied Wednesday night, with funds being transferred to what is known as a mixer. Mixers are joint accounts allowing anyone to deposit and withdraw bitcoin to and from the same address. That way, there is no direct record showing that any person withdrawing money is involved with the criminal accounts that deposit it. 

Many researchers noted similarities between source code in WannaCry and tools that appear to have been used in conjunction with WannaCry and a North Korean hacking group called Lazarus. 

WannaCry spread through security flaws in Windows that appear to have been discovered by the NSA and were revealed publicly by a leaker or leakers called the TheShadowBrokers.