Almost three months ago the massive cyberattack WannaCry, which caused Telefónica to close its intranet, as well as numerous companies around the world. The attack has had significant costs for many companies, although not all of them have decided to pay to recover the data: they have only managed to collect 140,000 dollars.
The way to claim money has been in the form of Bitcoin, because it allows you to stay out of the international financial circuit that would make it difficult to hide the creators of the malware. But now the creators have faced a difficult challenge: to turn Bitcoin into ordinary money.
The technique used by the authors of WannaCry
Bitcoin is a crypto currency with many features but there is one that does not: the anonymity of transactions. It is true, seeing a Bitcoin account we can not deduce who is the owner (it is only a number and the one who has the private key is able to access the account), but any transaction is recorded and is public. And to convert Bitcoin into money (dollars, for example) you have to go through an exchange, a bureau de change.
The problem is that exchange houses are companies that do business with money exchange and are therefore subject to very strict regulation. In fact the BTC-e exchange was closed by the authorities as it was facilitating money laundering and its founder has been considered a ciminal (it has helped launder $4 billion).
Therefore, if the creators of WannaCry want to recover the money they cannot send it directly to an exchange. And since they are not fools, a few days ago they tried to obfuscate the money by making multiple transactions to new Bitcoin accounts so that the authorities would lose the trace of the money (this technique is called bitcoin mixer).
But the obfuscation is not so easy
The problem is that confusing the authorities is not so easy. Yes, the 140,000 euros in Bitcoin ended up in multiple accounts and with many transactions, but in the end they have to get to an exchange. And they used Shapeshift.io, not to convert them into money but to convert them into another cryptomoneda, Monero, which does have characteristics of anonymity. The main feature of Shapeshift is that it is not necessary to register.
However, either the authorities or Shapeshift detected that the money came from WannaCry and blocked the funds. The creators of the malware have lost their money. All the fuss they made in May for nothing (or yes, maybe it was an attack led by North Korea and they don’t care about the money; in this case the attempt to withdraw funds is just a strategy to divert attention).
Future rasomware attacks
In the future hackers will have learned some lessons. First, that Bitcoin is not the best currency to ask for a ransom because its conversion to physical money is complicated. They could always have used Bitcoin to buy objects on the Deep Web, but sincerely doing this with 140,000 dollars is unproductive.
Second, maybe they should have ransomed in more anonymous currencies, like Monero. It is true, however, that with Bitcoin there is always some guarantee of having an investment insured and with good liquidity, in smaller currencies there could be problems to convert into dollars or it could be devalued quickly. However if in the end the strategy is to convert Monero better do so from the beginning.
And third, if you call the attention the authorities will pay more attention to you and the obfuscation will be more complicated. Better to attack smaller targets than to throw away Telefónica’s internal network or cause problems for the UK’s public health system. The bitcoin mixer process doesn’t work if there are a lot of people watching what you do with the money.