WannaCry Ransomware: Putting Cybercriminals’ Finances Under the Microscope

wana decrypt0r 2.0

Thousands of computers, including in the NHS, have been attacked by ransomware called WannaCry, also known as WCry, WannaDecryptOr and WannaCrypt. Courtesy of Wikimedia.


The WannaCry ransomware attack highlights the need for a global strategy to use financial intelligence in tracking cybercriminals.

The WannaCry ransomware attack, launched by unidentified cybercriminals on 12 May, has disrupted public and private sector services globally, crippling more than three-dozen of Britain’s National Health Service Trusts.

Although shocking in scale, the attack is unsurprising to experts who have been sounding alarms as ransomware has exploded into a billion-dollar business.

The exact figures are imprecise, but some estimates put cybercrime as the top source of global criminal proceeds. Ransomware has featured heavily, but other forms of financially motivated cybercrime have also proved lucrative. This includes cyber-enabled fraud, such as credit card and ID theft, as well as large-scale bank thefts involving North Korea as a suspected perpetrator.

Practical IT security measures remain the best defence against cybercrime. However, as profits soar, counter-illicit finance techniques offer a promising means for tracking cybercriminals.

Vulnerable to Detection

Although cybercriminals operate in a virtual space, accessing their profits can result in the generation of tangible funds, accounts and property, making them vulnerable to detection and the seizure of criminal proceeds.

Because cybercriminals operate globally, tracing their funds requires governments to cooperate closely. However, attempts to crack down on illicit cybercrime proceeds to date have often been ad hoc and piecemeal.

Improved international coordination in tracing and seizing proceeds can help to build out the broader intelligence picture around cybercrime, while enhancing the disruptive impact of law enforcement action.

The WannaCry attack is a timely illustration of the need for a robust and coherent financial intelligence component in global counter-cybercrime efforts.

Victims of WannaCry were greeted by a message threatening that unless they made bitcoin payments of $300 or $600 they would have their files deleted permanently. The ransom notes demanded transfers to one of three bitcoin addresses, each of which can be viewed on the blockchain, bitcoin’s public transaction ledger.

Not all that Anonymous

Although bitcoin is often described as ‘anonymous’, the transparent nature of the blockchain makes the transfer of funds from one alphanumeric address to another visible and traceable. With WannaCry, as of today, the three addresses had received approximately 280 separate payments totalling 42.2 bitcoins, equal to roughly $77,400.

The bitcoins remain sitting with those three addresses, the use of which offers clues about the attackers’ possible motives.

For example, ransomware often generates a new, unique bitcoin address for each victim, so that criminals can decrypt a victim’s files after receiving the cryptocurrency at the unique address. This is the technique employed in certain versions of the prolific CryptoLocker ransomware, as well as other ransomware varieties.

The WannaCry attackers’ use of just three fixed bitcoin addresses suggests they have no intention to decrypt files: it is unclear how they would know which victims made ransom payments.

What's the Motive?

This has led some experts to speculate the attackers may have erred. In signalling that they are unlikely to decrypt files, the perpetrators may have disincentivised victims from paying. This could explain the relatively low volume of payments relative to the estimated 200,000 victims, a success rate of just 0.001% and a relatively modest sum for so many victims.

The attackers’ use of only three addresses also makes their financial activity potentially more vulnerable to detection. When criminals obtain bitcoin, they generally ‘cash out’ by converting their cryptocurrency into fiat currency, legal tender issued and backed by a government.

This often involves using a bitcoin exchange (a business that converts it to fiat currency) in jurisdictions that do not regulate them. Services for cashing out criminal bitcoin proceeds also exist on the dark web, a technique used by drug dealers.

At the point of cashing out, the risk of detection grows, but using a larger number of unique bitcoin addresses for laundering purposes along the way can decrease that risk.

Amateurs or Provocateurs?

It remains unconfirmed if the WannaCry attackers made an amateur mistake, or if their primary motivation was provocation, not profit. Some researchers have observed that WannaCry uses code similar to that employed by suspected North Korean-linked hackers in robbing Bangladesh’s central bank.

A direct North Korea connection remains far from confirmed, but, if established, might add credence to the view that, in the WannaCry case, profit motive was of secondary importance (although that theory hardly explains how a country building a reputation for audacious cybertheft could have failed to generate very large profits in this case).

What is clear is that the attackers, whoever they are, left a financial footprint. Even if they try to obscure their financial moves, governments and numerous blockchain intelligence companies are watching.

The risk the attackers face if they move their bitcoin offers a lesson: for all the mystique surrounding the digital realm, cybercriminals must generally interact with the ‘real’ world if they want to enjoy their profits. Targeting those earnings will require enhancing the capacity and knowledge of relevant public sector agencies.

Training for the Future

The United Nations Office on Drugs and Crime has recently developed a training programme for improving law enforcement investigations into crimes involving cryptocurrencies. Such international efforts should be expanded to promote robust, coordinated global financial investigations into cybercrime cases more generally, including where they involve conventional money laundering approaches.

Although cybercriminals use new payment methods such as virtual currencies, which can require sophisticated analytical techniques, in many cases online crooks may not require highly technical money laundering methods.

For example, research by Europol suggests cybercriminals rely heavily on money mule activity, a simple but effective method that uses individuals to launder funds through their personal bank accounts.

Tried and tested investigative techniques for detecting illicit financial activity can play a role in identifying these schemes, although enhanced training and resourcing is necessary to keep pace with the scale of the global threat.

Building Robust Partnerships

Critical to success in tracing illicit cybercrime proceeds will be the establishment of robust public–private partnerships. Tracking financial flows around cybercrime will require a more fluid exchange of information between relevant stakeholders than exists at present.

An effective long-term strategy for improving the financial intelligence picture around cybercrime will require extending public–private information sharing arrangements to participants beyond the traditional banking sector.

In the case of cryptocurrencies, bitcoin exchanges, which the UK and EU are set to regulate soon, can be meaningful partners.

Lateral approaches, such as expanding dialogue and information sharing between governments, the financial sector and non-financial sector businesses are also needed. Non-financial sector businesses that are targets of cybercrime can potentially be essential sources of information for financial intelligence agencies. They can also play a more effective role in tackling cybercrime if they understand the financial methods and motivations of cybercriminals.

Whatever the future of cybercrime, as it evolves, financial intelligence must not be left out of the picture.

Banner image: Thousands of computers, including in the NHS, have been attacked by ransomware called WannaCry, also known as WCry, WannaDecryptOr and WannaCrypt. Courtesy of Wikimedia.


WRITTEN BY

David Carlisle

Associate Fellow; Independent Consultant

View profile


Footnotes


Explore our related content