Cyber criminals prefer to receive ransom in the cyber currency Bitcoin because it is anonymous. The truth is “sort of.” Let’s take a closer look at how Bitcoins work, and how the WannaCry perpetrators, possibly the Lazarus Group, want to be paid.

Bitcoins are different from fiat currencies because, with Bitcoins, no actual coins or bills exist, not even digital ones. With a fiat currency like the dollar, money is represented by actual coins and bills that can be physically stored. Depending on how you pay, your transaction is not recorded or, more often, either recorded anonymously or via an account number, such as a credit card number.

In any case, the number of coins and bills, either in actual money that you have on your hand, or what is recorded on your bank account, are decreased. With Bitcoins, you only have the transaction. Transactions are always public, and can be viewed by anyone. That is right: public, anyone. Anybody can see that money was paid from your account to that of WannaCry. Though, what is different from fiat currencies is that the actual ownership of an account is not necessarily know to anyone. It can be completely anonymous. This is a bit similar to a Swiss number account.

Let’s summarize this, the ownership of an account in Bitcoin may or may not be known to anyone, or generally public. The transaction, however, is always public. Bitcoin tracks transactions in so called Blocks that are linked in a Blockchain. In order to find out how much money somebody has, a “wallet” application would have to browse through the entire Blockchain and select out any transaction that involves the owner’s account number(s).

Different from fiat currencies, though, with Bitcoin, account numbers are free and one can have an endless amount of them. If somebody wants to be completely anonymous, they would use a new account number for every single transaction. Wallet or Account software would make it easy to keep track of them.

WannaCry made use of only three hard-coded account numbers:

Why didn’t WannaCry use a new account number for every instance of WannaCrypt0r to be installed? The answer might be: because in order to get the money from a Bitcoin account, one has to first generate the account number/private key pair, AND be in possession of the private key. Without the private key, they could not get their money: if the private key is being generated within WannaCrypt0r it would need to be communicated reliably where the hostage takers would have real-time access to it. That would give the perpetrators away. If the keys are generated somewhere in the cloud, the communication of private keys may be disguised in some layers of Darknet labyrinth, but it would be easy to shut them down by taking the key servers offline which would be easy to sniff. Also using hundreds or thousands of account numbers would not make it necessarily significantly more difficult for security experts to track payments.

The bigger question how can the perpetrators associate payment with a specific instance of WannaCry. With a uniquely generated account number that might be easy. But there does not appear any way to link the two, other than manually via the Contact Us button in WannaCrypt0r. In fact, the function of the Check Payment appears dubious at best. Supposedly, it is supposed to fetch the private key, but there is no public record of anybody ever having received it. The question is whether it actually works.

How would the perpetrators get the money after people paid ransom? Good question. Since transactions are public, we would know the account numbers to which the money is being transferred. In order to exchange the BTC into a fiat currency, the perpetrators would need to go to an exchange that are more and more government regulated. While a small-scale thug might slip through, the likelihood that a group of Lazarus’ size would stay anonymous is small. The WannaCry perpetrators also could exchange their account numbers for different ones in so called Mixer services as well in Account or Wallet services. Again, a small time thief might stay anonymous, but not when the NSA and every other state actor is after you.

In short, it is very possible that the WannaCry perpetrators never get their money. However, at the same time it is very possible that you never get the key either to recover your files. Even worse, your organization will be on the public record for having paid the extortionists, something which is not good publicity.

For so many reasons it is not a good idea to ever pay ransom, but specifically in the case of WannaCry is practically pointless.

Download EBook

FacebookTwitterGoogle+LinkedIn
Stefan Brunner
Stefan started his career as a London banker in M&A and private equity, evaluating and authoring business plans, and performing financial analytics for due diligence reports. Intrigued by the upcoming Internet, he shifted his focus to leveraging technology in banking. He designed and built global hyper-scale network and security infrastructure for some of the largest financial institutions for Juniper Networks. Maintaining his bifocal business interest, he served as Product Line Manager for Juniper Networks, and has a history as an entrepreneur and founder.

Excited in seeing the potential in cloud based security systems and sandboxing, Stefan joined the pioneer in sandboxing technology SonicWALL in 2014 through DELL as their Lead Solutions Architect.

Stefan earned a Master in Business Administration, triple majoring in Innovations Research and Technology Management, Information and Communications Economics, and Accounting from Ludwig-Maximilians-University, and an executive degree in Telecommunications Engineering from UC Berkeley. Stefan earned countless industry certifications, including JNCIE.

Stefan has published an O’Reilly bestseller on security and countless white papers.

You might also like

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack
Read more
Securing Your Network Before, During and After Black Friday
Read more
Locky, Then WannaCry, Now Petya.  Is This The New Normal in Cyber Security?
Read more
DPI-SSL: What Keeps You Up at Night? Protect More. Fear Less.
Read more
CeBIT 2017: Real-Time Breach Prevention with SonicWall, Your Partner in Cybersecurity
Read more

1 comment

Beni

I am sorry, a swiss number account ist not “completely anonymous”. The bank always knows the owner and gives the data to the procsecutor in case he needsto know.

Leave a reply

10 − four =