2017 may be remembered as the year of the botched cyber heist, when mass infections of ransomware variants embarrassed some of the world's largest and most famous organisations but earned their creators little more than notoriety. With mystery surrounding identity and motive, we may never get to the bottom of the full story but we may be able to draw some conclusions by following the money.
WannaCry and the Poisoned Chalice
In May 2017, anyone who hadn't already heard of ransomware was instantly enlightened by news of a global outbreak, involving household names such as the NHS, car manufacturer Nissan and telecoms giant Telefonica. Exploiting a previously disclosed vulnerability in Microsoft Windows operating systems, the ransomware strain known as WannaCry was able to spread to over 230,000 machines worldwide with little resistance. This resulted in the typical encrypted file system and a demand for payment in exchange for a decryption key. In total, there were three bitcoin wallets used in the attack:
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
At the time of writing, these wallets contained a total of £104,803, with unsurprisingly the greatest increase in deposits taking place in the first few days after the attack. The income from this incident of cybercrime would usually be viewed as motive enough if it were not for the fact that there has been no withdrawal of funds since the attack. There are two possible things we could deduce from this, that the scale of WannaCry and the lime-light it attracted was far greater than intended, resulting in the wallet becoming a poisoned chalice watched by law enforcement in multiple countries; or that monetary gain was never the true purpose of WannaCry and that instead it was designed to cause large scale disruption.
Despite the publicity, it is interesting to note that the WannaCry yield pales in comparison to previous lesser reported attacks, again pointing toward a different non-monetary motive. For example, CryptoWall which in 2014 amassed a fortune of $340 million, and created a separate bitcoin wallet for each victim.
Petya is Pocket Money
The fallout from WannaCry was accompanied by the almost song-like chorus from cybersecurity experts and commentators prophesising that this would not be the last mass-ransomware scale event. They of course proved to be correct. Fast forward to the end of June 2017 and the world was introduced to Petya (one of its many names), a strain of ransomware exploiting the same vulnerability used by WannaCry, with some modifications including the ability to encrypt the MBR (Master Boot Record) and use discovered administrative credentials among others. Based on limited geographical impact and the methods in which it was used to launch, there is much debate and suspicion that Petya was targeted at Ukrainian businesses and organisations and that it used ransomware a mask to hide its intention for disruption. In the case of Petya there is just one known bitcoin wallet:
At its peak this wallet totalled £8,321 which although low can be explained by a sole email address being shut down, preventing any further payments. Interestingly, the Petya bitcoin wallet, unlike WannaCry, has seen some activity.
On the 4th of July, two payments of roughly £200 each were paid to websites Pastebin and DeepPaste following a message on both sites offering the private key to decrypt all Petya encrypted systems in exchange for £200,000 in bitcoin. The message was accompanied by a message signed by the Petya private key, undoubtedly to prove its authenticity. Later, the remainder of the wallets contents were moved to another wallet, possibly to a bitcoin laundering service.
Cloaks, Daggers and Motives
It is likely that we will never get to the bottom of the motive for both of these disruptive ransomware events. The nature of cryptocurrency means that although the ledger of transactions is available for scrutiny, the identities of the wallet owners is not. With return on investment low in both cases, our only source of investigation is more than likely a clever attempt at misdirection anyway.
