Bitcoin wallets related to the WannaCry ransomware attacks and stuffed with more than $140,000 worth of the cryptocurrency have been emptied, experts say. The balance of the various accounts, which amounted to 52.2 BTC, was unexpectedly drained overnight. Funds began to mount in early May 2017, as victims of WannaCry coughed up the virtual cash needed to unlock their data.
After that point, the question many were waiting to see answered was when those accounts would be accessed and the Bitcoins removed. That, cryptocurrency security specialist Elliptic says, began late on Wednesday evening, August 2nd. By 3:25am the following morning, the three Bitcoin addresses known by to be associated with WannaCry had been drained entirely.
Those three accounts – detailed here – were hard-coded into the malware. Victims of WannaCry were generally directed to pay between $300 and $600 in order to remove the block. Those victims were numerous, too: as well as individuals, WannaCry affected the UK’s National Health Service, the Russian Interior Ministry, French automaker Renault, telecoms operator Telefonica in Spain, and FedEx in the US.
“Elliptic is also tracking further Bitcoin addresses associated with earlier strains of the malware,” the company said. The assumption is that the Bitcoin ransoms are being converted into another cryptocurrency, as a way of hopefully obfuscating the recipients. Investigators continue to monitor where, exactly, they’re headed.
WannaCry has proved to be one of the more disruptive strains of malware in recent memory. As well as disrupting both private and enterprise users, it forced Microsoft to push out an emergency patch for Windows XP that blocked a loophole through which the ransomeware would infect systems. That patch had been released before, but many legacy PC users had yet to install it as Windows XP no longer received automatic updates.
However, it wasn’t just Windows XP users who were at risk. Indeed any system running Microsoft’s OS before Windows 10 could be vulnerable, if not patched for MS-17-010. That was released on March 14, 2017, with Microsoft saying at the time that that it was considered “Critical” for the potential for remote code execution.