kraloz - Fotolia

Cyber criminals make it difficult to follow the money

Following the money is a classic technique used by law enforcement to link criminals to crimes by tracing associated financial exchanges, but that may not be easy in the case of the WannaCry attacks

The ransom paid in response to the WannaCry global ransomware attacks in May was considered key to discovering who was behind the attacks by identifying those who collected the money.

The ransom paid into bitcoin wallets has been under surveillance for two-and-a-half months. The funds have now been collected, which should theoretically lead to those behind WannaCry.

More than $140,000 worth of bitcoins has been drained from bitcoin wallets associated with the WannaCry attack that affected more than 200,000 computers in 150 countries.

According to a Twitter bot set up by Quartz journalist Keith Collins, all of the bitcoin wallets linked to the attack were emptied from around 4am UK time today (3 August 2017).

The ransomware demanded between $300 and $600 to restore data encrypted by the WannaCry malware, and the total collected suggests that around 300 victims paid up.

Although standard advice from the security industry and law enforcement is not to pay ransoms because it reinforces and perpetuates the business model, many firms pay out of desperation.

Money trail

Some security commentators have expressed surprise that the funds have been accessed because of the belief that it will provide a money trail to the cyber criminals responsible for the WannaCry attacks.

Some have speculated that instead of attempting to convert the bitcoin into traditional currencies, the cyber criminals will attempt to remain anonymous by using the bitcoin on the deep web, the BBC reported.

Cyber extortionists typically demand payment in bitcoin because they believe it cannot be traced, but in recent years law enforcement has begun using software designed to link bitcoin sources and recipients.

Bitcoin tracking firm Chainalysis is a supplier of technology that enables law enforcement organisations to find the services that cyber criminals are using to convert bitcoin to cash or other digital currencies.

However, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said those behind the WannaCry attacks may have enough resources to avoid discovery.

Read more about WannaCry

  • The National Crime Agency believes the recent WannaCry attacks represent a “signal moment” in terms of awareness of cyber attacks and their real-world impact.
  • Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.

According to Kolochenko, professional cyber criminals have well-established contacts with organised crime, financial institutions and even law enforcement agencies.

“It’s a not a big problem to find a virtually untraceable way for bitcoin laundering. A lot of amateur cyber criminals were traced by various mistakes when they were trying to ‘cash out’, but professionals have different ways to stay in the shadows,” he said.

According to Michael Gronager, CEO and co-founder of Chainalysis, the latest bitcoins to be moved are associated with the more high-profile second wave of WannaCry attacks.

“The funds from the first campaign and the second campaign have gone through digital asset trading firm ShapeShift and into monero, a more anonymous cryptocurrency,” he told Computer Weekly. 

But according to Gronager, approximately $100,000 is still sitting in the wallet of the Wannacry Ransomware 2.

“The actors’ campaign showed a lack of sophistication at the time of transaction as they used static addresses for multiple different victims making it impossible for them to tell which victim had paid. Either they have spent these months learning more about cryptocurrencies or someone is helping them,” he said.

Gronager believes that moving value online - even if more anonymous methods are employed like monero - there is a good chance that over time they will be identified.

“I agree that it is in principle possible to stay anonymous, but over time, the chances for slipping are there, and could lead to an arrest. WannaCry has a whole world of cyber investigators watching,” he said.

However, Gronager said the bigger threat probably lies in moving the funds to jurisdictions that are not willing to collaborate with law enforcement or with a poor infrastructure for oversight. “We have seen $81m being stolen through the Swift network and laundered in Asia - and that didn't involve bitcoin,” he said. 

Read more on Hackers and cybercrime prevention