As deadline passes, WannaCry falls short of six figures

(Bloomberg) --One week ago a global cyberattack dubbed “unprecedented” by Europol began infecting an estimated 200,000 of the world’s computers, starting a seven-day countdown to the destruction of data if victims didn’t pay a ransom.

On Friday, those countdowns begin reaching zero. But so far, as of 13:00 in London, the attackers have claimed only about $92,000 in payments from their widespread ransom demands, according to Elliptic Enterprises Ltd., a U.K-based company that tracks illicit use of bitcoin. The company calculates the total based on payments tracked to bitcoin addresses specified in the ransom demands.

The ransomware, called WannaCry, began infecting users on May 12 and gave them 72 hours to pay $300 in bitcoin or pay twice as much. Refusal to pay after seven days was promised to result in the permanent loss of data via irrevocable encryption.

Witt affected institutions including the National Health Service., FedEx Corp. and PetroChina, few initially paid up, leading to speculation that organizations were taking their chances on fixing their corrupt machines before the ransom forced a mass deletion of critical data. A week later, experts agree the financial gains of the hackers remain astonishingly low.

“With over 200,000 machines affected, the figure is lower than expected,” said Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. “If even 1 percent paid the ransom that would be $600k.”

di-bloomberg-servers
Web servers stand inside the Facebook Inc. Prineville Data Center in Prineville, Oregon, U.S., on Monday, April 28, 2014. The Facebook Prineville Data Center features leading energy-efficient technology, including features such as rainwater reclamation, a solar energy installation for providing electricity to the office areas and reuse of heat created by the servers to heat office space. Photographer: Meg Roussos/Bloomberg

Akhtar said we experts may never know how much larger this figure would have been if a so-called kill switch wasn't accidentally triggered by a cyber security researcher, who registered an internet domain that acted as a disabling tool for the worm’s propagation.

While the world’s law enforcement is pointing its resources at trying to identify the culprits, Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises, says it’s unlikely the money taken from victims will be taken from the digital bitcoin wallets they’re being anonymously held in.

“Given the amount of scrutiny this has come under, I would be surprised if they moved it anytime soon,” he said. “I just don't think the risk is worth the $90,000 they've raised so far.”

Akhtar agrees but doesn’t think the criminals have given up hope while machines infected later still have time ticking on their ransom countdown.

“It seems like they are still actively trying to bring funds in,” he said, noting a Twitter post from Symantec Corp. Thursday, which seemed to show fresh messaging from the attackers promising to hold their end of the decryption bargain if victims paid up.

Akhtar believes the best thing the perpetrators can do to hide from authorities is “destroy any evidence and abandon the bitcoin wallets.”

Of course, the hack may have nothing to do with money at all. Any movement of funds from a bitcoin wallet would act as a valuable clue for law enforcement as to who is behind the attack. Preliminary finger-pointing has already targeted groups with suspected links to the North Korean regime, but clues are few are far between still.

Bloomberg News
Cyber security
MORE FROM DIGITAL INSURANCE