Money WannaCry was deduced into the untraceable crypto currency Monero / SurprizingFacts

August 3, the owners of WannaCry wallets withdrew their money, transferring in small parts to 7-10 BTC. According to the indications of the @actual_ransom bot, the contents of the purses were changed as follows:

August 3
52.19666422 BTC ($ 142,361.51) – 338 payments, 0 withdrawals
withdrawal of 7.34128314 BTC ($ 20,055.52 USD)
withdrawal of 8.73261636 BTC ($ 23,856.48 USD)
withdrawal of 9.67641378 BTC ($ 26,434.83 USD)
withdrawal of 7.6939288 BTC ($ 19,318.06 USD )
withdrawal of the BTC ($ 26,508.37 USD)

on the 4th of August
the withdrawal of the BTC ($ 24,598.95 USD)
0 BTC ($ 0) – 345 payments, 7 withdrawals

Obviously, the owners of the crypto-hijacker should try to anonymize the money. They could use the cleaning service, but still such services work within the framework of the pseudo-anonymous Bitcoin system, that is, traces still remain in the locker. Therefore, the attackers chose a more reliable option.

According to the Italian company Neutrino, which specializes in information security, the owners of the crypto-hijacker withdrew funds to the completely anonymous and untraceable digital currency of XMR (Monero), writes Ars Technica .

Like other crypto-currencies, Monero Based on a blockbuster, but uses a cryptographic scheme such as "ring signatures" to ensure anonymity.

Circular signatures are a simplified version of group signatures, designed for those cases when participants in the scheme do not wish to collaborate To work with each other, and the scheme does not provide for the presence of a manager (as opposed to group signatures). Circular signatures were developed by the authors of the RSA algorithm Rivest and Shamir, in co-authorship with Tauman.

Circular signatures

Circular signatures feature In that the person who signs the transaction establishes an arbitrary set of possible signers, including himself, and computes the signature exclusively independently, using his secret key and public keys of other users. In such a system, other participants may not even know that their public keys are used by an unknown person to sign a document they have never seen. Nevertheless, such a scheme is very effective and ensures anonymity of transactions, because when studying a detachment, the external observer can not tell which parties participated in the transaction.

The Monero payment system recently attracted attention when its support was announced by the hacker group Shadowbrokers (she stated that she will accept XMR as payment for her monthly Monthly Dump Service). It is interesting that this hacker group stole from the NSA and published the exploits of ETERNALBLUE and DOUBLEPULSAR with 0day-vulnerability in SMB. They were used by the crypto hacker. However, there is no evidence of a connection between Shadowbrokers and WannaCry.

But it is known that before WannaCry began to spread another malware, which used the same exploits and vulnerabilities. It had exactly the same propagation mechanism: port scanning, the use of the ETERNALBLUE exploit, and then the use of the DOUBLEPULSAR exploit. This malware was the cryptomayer Adylkuzz, which was called … correctly, Montero. The epidemic of Adylkuzz did not attract much attention, for the reason that malware did not cause much harm to infected systems: computers just started to work a little slower.

It should be noted that WannaCry owners chose not the most successful time for the output of bitcoins: Immediately after that the BTC jumped in price (on August 3 the rate was $ 2,814, and now $ 3,239).

And one more fact related to WannaCry: just a few days ago, after a hacker conference DEF CON, a 23-year-old British expert was detained On Information Security Marcus Hutchins (Marcus Hutchins), better known by the nickname MalwareTech. It was this guy who accidentally stopped the spread of WannaCry infection by registering a stop domain.

The Englishman already admitted that he wrote part of the code for the bank Trojan Kronos. Vmieste with accomplices, they sold at least one copy of the Trojan for $ 2000, and personally Hutchins is accused of retail sales program for another $ 7000. On Friday, August 4, Marcus was released on bail of $ 30 thousand, but he is forbidden to fly to his homeland. He must be in the US and wear a GPS tracker.