As deadline begins to pass, global ransomware attack nets far less than expected

Staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul, on May 15, 2017.
Staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul, on May 15, 2017.PHOTO: AFP

LONDON (Bloomberg) - One week ago, a global cyberattack dubbed "unprecedented" by Europol began infecting an estimated 200,000 of the world's computers, starting a seven-day countdown to the destruction of data if victims didn't pay a ransom.

On Friday (May 19), those countdowns begin reaching zero. But so far, as of 1pm in London, the attackers have claimed only about US$92,000 (S$127,394) in payments from their widespread ransom demands, according to Elliptic Enterprises Ltd, a UK-based company that tracks illicit use of bitcoin.

The company calculates the total based on payments tracked to bitcoin addresses specified in the ransom demands.

The ransomware, called WannaCry, began infecting users on May 12 and gave them 72 hours to pay US$300 in bitcoin or pay twice as much. Refusal to pay after seven days was promised to result in the permanent loss of data via irrevocable encryption.

Get The Straits Times
newsletters in your inbox

With affected institutions including the National Health Service, FedEx Corp and PetroChina, few initially paid up, leading to speculation that organisations were taking their chances on fixing their corrupt machines before the ransom forced a mass deletion of critical data. A week later, experts agree the financial gains of the hackers remain astonishingly low.

"With over 200,000 machines affected, the figure is lower than expected," said Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. "If even 1 per cent paid, the ransom that would be US$600k."

Akhtar said we experts may never know how much larger this figure would have been if a so-called kill switch wasn't accidentally triggered by a cyber security researcher, who registered an Internet domain that acted as a disabling tool for the worm's propagation.

While the world's law enforcement is pointing its resources at trying to identify the culprits, Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises, says it's unlikely the money taken from victims will be taken from the digital bitcoin wallets they're being anonymously held in.

"Given the amount of scrutiny this has come under, I would be surprised if they moved it anytime soon," he said. "I just don't think the risk is worth the US$90,000 they've raised so far."

Akhtar agrees but doesn't think the criminals have given up hope while machines infected later still have time ticking on their ransom countdown.

"It seems like they are still actively trying to bring funds in," he said, noting a  Twitter post from Symantec Corp on Thursday (May 18), which seemed to show fresh messaging from the attackers promising to hold their end of the decryption bargain if victims paid up.

Akhtar believes the best thing the perpetrators can do to hide from authorities is "destroy any evidence and abandon the bitcoin wallets".

Of course, the hack may have nothing to do with money at all. Any movement of funds from a bitcoin wallet would act as a valuable clue for law enforcement as to who is behind the attack.

Preliminary finger-pointing has already targeted groups with suspected links to the North Korean regime, but clues are few are far between still.