WannaCry Hackers Finally Cash Out $143,000 In Bitcoin Ransom

Bitcoin

The hackers behind the WannaCry ransomware that became an overnight global scare did not strike it rich over their nefarious deeds, though they did make around $143,000 after cashing out all of the Bitcoin payments made by victims. Had it not been for the quick response of security researchers, and one in particular who accidentally discovered a kill switch of sorts, they might have made much more.

Elliptic, a London-based start-up that aids law enforcement with tracking down cybercriminals that use Bitcoin, confirmed that the WannaCry withdrew 52.2 BTC from online wallets this week. Bitcoin currency is currently worth around $2,740, resulting in the six-figure payday for the people behind the ransomware attack.

It's believed that at least some of the funds that have been withdrawn are being converted into another type of cryptocurrency, though it's not clear if the culprits are doing this to further hide their tracks or are gambling on another digital coin rising in value. They are playing with house money, after all.

"We're following the movement of funds being sent out of the WannaCry wallets," Elliptic co-founder Tom Robinson told CNBC. "We believe some of these funds are being converted into Monero, a privacy-focused cryptocurrency. We continue to work with law enforcement to support their efforts in tracing ownership of these funds."

WannaCry, also known as WannaCrypt (among other names) made headlines after quickly spreading to tens of thousands of PCs in dozens of countries in just a few hours. It infiltrated several hospitals in the UK, some of which had to turn down patients and send staff home.

A security researcher that was looking into the ransomware discovered that it was pinging a specific unregistered domain, which he then registered with the intention of observing its activity. In doing so, in inadvertently neutralized the initial strain. It turned out the malware's author coded in a kill switch in which WannaCry would stop installing itself if the domain in question became registered.