An unprecedented cyberattack swept across the globe over the weekend, but so far the majority of victims haven’t paid hackers a ransom.
After the ransomware began infecting users on Friday, they were given 72 hours to pay $300 in bitcoin—chosen by the hackers because the crypto currency is harder to track than conventional payments—or pay twice as much. If they refused to pay after seven days, their computer would be permanently locked—a serious problem for those who haven’t backed up their data.
As of early Monday, only about $50,000 had been paid in ransoms, according to Elliptic Enterprises Ltd., a London-based company that tracks illicit use of bitcoin. The company calculated the total based on payments tracked to bitcoin addresses specified in the ransom demands, adding that it expects the total to rise.
"The amount is indeed low," said Michela Menting, digital security research director at ABI Research. "This is likely due to the fact that organizations have initiated their backup and recovery procedures."
Moreover, for those who didn’t save their data on a separate system, paying a ransom isn’t like buying something from Amazon by entering their credit or debit card information. Even though the hackers provided a helpful link for those new to paying in bitcoin, the crypto currency is a black box for most people.
"If you’re presented with something that says pay this amount in bitcoin, most people don’t know where to start with that," said James Smith, the CEO and co-founder of Elliptic.
There are several steps. First, a person or business has to obtain the bitcoins by registering with one of the various online exchanges and going through its verification process. After that, money can be deposited into the exchange. For those living in countries that don’t have an exchange, including the U.K., money must be converted into another currency.
Once the money is deposited on the exchange, the bitcoins can be sent to the address provided by the extortionist. "It looks like a long garbled string of text," Smith said. After the fee is paid, the hackers supposedly free the affected computer.
"A large amount of bitcoin is actually somewhat difficult to source quickly," said Alex Sunnarborg, an analyst at bitcoin research company CoinDesk, adding it might take a few days to create an account at a bitcoin brokerage or exchange, connect a bank account, and then receive the bitcoin.
One notable difference with this attack is that the perpetrators demanded a relatively small amount of money but from a large number of people, said James Chappell, chief technology officer and co-founder of United Kingdom security company Digital Shadows.
More typically, he said, hackers demand one large ransom to unlock all the infected machines. "Quite often they’re in the thousands rather than the hundreds of dollars," he said. "It is unusual to see this piecemeal approach, computer by computer."
Although harder than tracking a traditional bank payment, hunting down the bitcoin payments will be a key way law enforcement authorities attempt to track down those responsible. It’s almost impossible to know who the perpetrators are based on the bitcoin addresses they give to victims, according to Elliptic, but once the bitcoins are moved from that address, it can be tracked, potentially helping lead to the culprits.
"There are things you can do to identify the actors behind suspicious addresses or transactions," says Kevin Beardsley, head of business development at Elliptic, which also works with law enforcement.