WannaCry Ransomware: Putting Cybercriminals’ Finances Under the Microscope
The WannaCry ransomware attack highlights the need for a global strategy to use financial intelligence in tracking cybercriminals.
The WannaCry ransomware attack, launched by unidentified cybercriminals on 12 May, has disrupted public and private sector services globally, crippling more than three-dozen of Britain’s National Health Service Trusts.
The exact figures are imprecise, but some estimates put cybercrime as the top source of global criminal proceeds. Ransomware has featured heavily, but other forms of financially motivated cybercrime have also proved lucrative. This includes cyber-enabled fraud, such as credit card and ID theft, as well as large-scale bank thefts involving North Korea as a suspected perpetrator.
Practical IT security measures remain the best defence against cybercrime. However, as profits soar, counter-illicit finance techniques offer a promising means for tracking cybercriminals.
Vulnerable to Detection
Although cybercriminals operate in a virtual space, accessing their profits can result in the generation of tangible funds, accounts and property, making them vulnerable to detection and the seizure of criminal proceeds.
Because cybercriminals operate globally, tracing their funds requires governments to cooperate closely. However, attempts to crack down on illicit cybercrime proceeds to date have often been ad hoc and piecemeal.
Improved international coordination in tracing and seizing proceeds can help to build out the broader intelligence picture around cybercrime, while enhancing the disruptive impact of law enforcement action.
The WannaCry attack is a timely illustration of the need for a robust and coherent financial intelligence component in global counter-cybercrime efforts.
Victims of WannaCry were greeted by a message threatening that unless they made bitcoin payments of $300 or $600 they would have their files deleted permanently. The ransom notes demanded transfers to one of three bitcoin addresses, each of which can be viewed on the blockchain, bitcoin’s public transaction ledger.
Not all that Anonymous
Although bitcoin is often described as ‘anonymous’, the transparent nature of the blockchain makes the transfer of funds from one alphanumeric address to another visible and traceable. With WannaCry, as of yesterday, the three addresses had received approximately 280 separate payments totalling 42.2 bitcoins, equal to roughly $77,400.
The bitcoins remain sitting with those three addresses, the use of which offers clues about the attackers’ possible motives.
For example, ransomware often generates a new, unique bitcoin address for each victim, so that criminals can decrypt a victim’s files after receiving the cryptocurrency at the unique address. This is the technique employed in certain versions of the prolific CryptoLocker ransomware, as well as other ransomware varieties.
The WannaCry attackers’ use of just three fixed bitcoin addresses suggests they have no intention to decrypt files: it is unclear how they would know which victims made ransom payments.
What's the Motive?
This has led some experts to speculate the attackers may have erred. In signalling that they are unlikely to decrypt files, the perpetrators may have disincentivised victims from paying. This could explain the relatively low volume of payments relative to the estimated 200,000 victims, a success rate of just 0.001% and a relatively modest sum for so many victims.
The attackers’ use of only three addresses also makes their financial activity potentially more vulnerable to detection. When criminals obtain bitcoin, they generally ‘cash out’ by converting their cryptocurrency into fiat currency, legal tender issued and backed by a government.
This often involves using a bitcoin exchange (a business that converts it to fiat currency) in jurisdictions that do not regulate them. Services for cashing out criminal bitcoin proceeds also exist on the dark web, a technique used by drug dealers.
At the point of cashing out, the risk of detection grows, but using a larger number of unique bitcoin addresses for laundering purposes along the way can decrease that risk.
Amateurs or Provocateurs?
It remains unconfirmed if the WannaCry attackers made an amateur mistake, or if their primary motivation was provocation, not profit. Some researchers have observed that WannaCry uses code similar to that employed by suspected North Korean-linked hackers in robbing Bangladesh’s central bank.
A direct North Korea connection remains far from confirmed, but, if established, might add credence to the view that, in the WannaCry case, profit motive was of secondary importance (although that theory hardly explains how a country building a reputation for audacious cybertheft could have failed to generate very large profits in this case).
What is clear is that the attackers, whoever they are, left a financial footprint. Even if they try to obscure their financial moves, governments and numerous blockchain intelligencecompanies are watching.
The risk the attackers face if they move their bitcoin offers a lesson: for all the mystique surrounding the digital realm, cybercriminals must generally interact with the ‘real’ world if they want to enjoy their profits. Targeting those earnings will require enhancing the capacity and knowledge of relevant public sector agencies.
Training for the Future
The United Nations Office on Drugs and Crime has recently developed a training programme for improving law enforcement investigations into crimes involving cryptocurrencies. Such international efforts should be expanded to promote robust, coordinated global financial investigations into cybercrime cases more generally, including where they involve conventional money laundering approaches.
Although cybercriminals use new payment methods such as virtual currencies, which can require sophisticated analytical techniques, in many cases online crooks may not require highly technical money laundering methods.
For example, research by Europol suggests cybercriminals rely heavily on money mule activity, a simple but effective method that uses individuals to launder funds through their personal bank accounts.
Tried and tested investigative techniques for detecting illicit financial activity can play a role in identifying these schemes, although enhanced training and resourcing is necessary to keep pace with the scale of the global threat.
Building Robust Partnerships
Critical to success in tracing illicit cybercrime proceeds will be the establishment of robust public–private partnerships. Tracking financial flows around cybercrime will require a more fluid exchange of information between relevant stakeholders than exists at present.
An effective long-term strategy for improving the financial intelligence picture around cybercrime will require extending public–private information sharing arrangements to participants beyond the traditional banking sector.
Lateral approaches, such as expanding dialogue and information sharing between governments, the financial sector and non-financial sector businesses are also needed. Non-financial sector businesses that are targets of cybercrime can potentially be essential sources of information for financial intelligence agencies. They can also play a more effective role in tackling cybercrime if they understand the financial methods and motivations of cybercriminals.
Whatever the future of cybercrime, as it evolves, financial intelligence must not be left out of the picture.
Latest News from
Minister to open inaugural Latin America Security Conference13/01/2023 14:05:00
David Rutley MP, Parliamentary Under Secretary of State for Americas and Caribbean, Foreign, Commonwealth and Development Office, will deliver the keynote address at the forthcoming Latin American Security Conference on Friday 27 January.
What Does Kenya’s Mutual Evaluation Report Mean, and How Should It Be Used?20/12/2022 16:43:00
Achieving effectiveness in its anti-money laundering system is a challenge for Kenya. Civil society must play a key role in the journey ahead.
Pakistan Escapes the FATF Grey List, but Risks a Clash with its Jihadists19/12/2022 14:25:00
The South Asian country has been able to secure its removal from the FATF’s grey list, but its actions have fuelled dissent among jihadist groups in Kashmir.
Peace Prospects in Ethiopia: A ‘New Dawn’ or Kicking the Can Down the Road?19/12/2022 12:33:00
The settlement agreed by the parties to Ethiopia’s conflict offers hope for a lasting peace. But further measures are still needed to deter future violence and instability.
Countering Terrorism: Why the Time is Right to Pass the Protect Duty16/12/2022 16:38:00
On 22 May 2017, Figen Murray’s life changed forever when her son, Martyn Hett, was one of 22 people murdered in the Manchester Arena suicide bombing.
RUSI Expands Latin American Presence with Peruvian Partnership16/12/2022 14:25:00
RUSI’s growing Latin America focus has been enhanced through a new partnership with Peruvian think tank, Centro de Estudios Estratégicos del Ejército del Perú (CEEP).
European Security Architecture: Against Russia, or With It?16/12/2022 12:33:00
Beyond the immediate priority of bringing peace and justice to Ukraine, Europe’s security architecture needs a redesign and fresh focus.
Project Launches to Monitor and Supervise Ukraine’s Reconstruction Funds14/12/2022 13:10:00
RUSI’s Centre for Financial Crime and Security Studies (CFCS) and RUSI Europe launch the Supervising and Monitoring Ukraine’s Reconstruction Funds (SMURF) project to support Ukrainian civil society in the efficient oversight of international aid allocation.
The Prince, the Judge and the Paratrooper: Germany’s Foiled Far-Right Coup13/12/2022 14:25:00
The recent raids and arrests in Germany illustrate some of the trends we have seen in extremism in the last few years, including the transnational connections of groups and narratives and the involvement of current and former members of militaries and police forces in far-right extremism and terrorism.