×

Hackers who infected 200,000 machines have only made $50,000 worth of bitcoin

  • The WannaCry ransomware hackers have received around $50,000 worth of bitcoin so far.
  • The amount the hackers will demand is expected to double from $300 to $600 on Monday.

Hackers who locked files on 200,000 computers globally and asked for a bitcoin ransom payment to unlock them, have only made around $50,000, an industry source told CNBC, despite the large scale of the attack.

On Friday, a virus known as WannaCry infected machines across 150 countries. It's known as ransomware which is a malicious piece of software that encrypts a user's files then demands them pay money to unlock them. In this case, the hackers asked for $300 worth of bitcoin.

James Smith, CEO of Elliptic, a London-based start-up that helps law enforcement agencies track criminals using the cryptocurrency, said his company had uncovered that since Friday, around $50,000 worth of bitcoin payments have been made to the hackers by 7 a.m. ET on Monday. This was up from $45,000 at 4 a.m. ET.

"We have seen the number of payments start to go up today," Smith told CNBC Monday.

After 72 hours from when the attack started on Friday, the hackers said the fine would double to $600, and after seven days, the files would be permanently locked.

"We think over the course of today as we approach the first deadline where fines double we will see a bigger increase (in bitcoin payments)," Smith added.

The amount paid so far is still a small amount despite the global nature and scale of the attack. Security experts and government agencies have been urging people not to pay the ransom.

Why payments have been slow

One of the major reasons for the slow payments is perhaps because many people wouldn't know how to obtain and pay in bitcoin.

"If a business is told it needs to pay this amount of bitcoin, most companies will be asking what bitcoin is … it's not straightforward," Smith explained.

Obtaining large amounts of the cryptocurrency might take some time, and then setting up an account via a bitcoin wallet and exchange would also require a long onboarding process.

At the same time, researchers have seen no evidence that paying the cybercriminals necessarily unlocks your files.

"The decryption process itself is problematic, to say the least," cybersecurity firm Check Point said in a blog post on Sunday.

"Unlike its competitors in the ransomware market, WannaCry doesn't seem to have a way of associating a payment to the person making it. Most ransomware … generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then … wait."

Tracing bitcoin

Hackers who deploy ransomware often ask for payments in bitcoin as it is often believed to be completely anonymous. But law enforcement agencies, working with companies like Elliptic, have figured out ways to trace this.

It traces so-called bitcoin addresses back to people. These addresses are required to make payments to other people or organizations. At the moment, Elliptic is working on trying to trace the payments, but Smith said this would become clearer when the hackers try to withdraw their bitcoin in fiat currency.

"The attackers haven't moved it. In previous cases we have been able to work with law enforcement to see where the funds move because ultimately the attacker wants to turn it back into a currency they want to spend," Smith explained.