Funds collected by the WannaCry ransomware attack that held hostage hundreds of thousands of computer systems around the world earlier this year have started to be withdrawn from online bitcoin wallets.
A total of 52.2 bitcoins, valued at about $143,000, were withdrawn from the wallets overnight. The withdrawals, which were made in increments of about $20,000, started around 11 p.m. ET on Aug. 2 and completed at 3:25 a.m. ET Thursday.
The withdrawals were confirmed by by Elliptic, a London-based security firm that monitors and tracks bitcoin activity. According to the firm’s tracker of bitcoin wallets associated with WannaCry, the accounts have been drained in their entirety.
It is likely the withdrawals were made by the attackers who carried out the WannaCry attack, though there has yet to be an official attribution made as to who was behind the widespread ransomware epidemic.
Some security researchers have noted WannaCry shared code with a strand of malware used by notorious North Korean hackers known as Lazarus Group. The collective have ties to the North Korean government and are believed to be responsible for the Sony Pictures hack in 2014 that led to internal documents and unreleased films being published online, as well as a digital heist of $81 million from a bank in Bangladesh.
British cybersecurity experts went a step further and linked WannaCry directly to North Korea, claiming the country’s state-sponsored hackers were likely the culprits. The nation has turned its hacking efforts toward financially motivated attacks in recent months, though the WannaCry attack would represent small gains compared prior attacks targeting financial institutions.
The WannaCry outbreak started in May and spread quickly to hundreds of thousands of machines around the world, hitting everything from major corporations to hospitals and even stop lights and causing massive disruptions in the operations of organizations and individuals.
The attack is believed to have hit more than one million machines in total in more than 150 countries. WannaCry encrypted important files on an infected machine and demanded a $300 ransom in order to decrypt and return access to the victim. Based on the funds withdrawn from the bitcoin wallets associated with WannaCry, less than 500 people paid the ransom.
WannaCry made use of a Microsoft Windows exploit known as EternalBlue. The exploit, along with a number of other potentially damaging means of propagation for malicious software, were i nitially developed by the U.S. National Security Agency and made public after they were stolen by an anonymous group of hackers known as the Shadow Brokers.
The NSA disclosed the method of attack to Microsoft after the agency learned the exploits were stolen. Microsoft released a patch for the Eternal Blue vulnerability in March for current operating systems and issued an emergency patch for the exploit on outdated machines in May as WannaCry began spreading.
EternalBlue was again used a month later in the spread of Petya, another worldwide attack that hit computer systems in more than 50 countries. While Petya appeared at first to be a ransomware attack as well, it was revealed that it was a more malicious “wiper” designed to destroy files and infected machines.