New Wanna Decryptor Ransomware Locks Your Files in Exchange for Bitcoins

A new ransomware made headlines around the world on Friday. The “Wanna Decryptor” ransomware has spread to more than 74 countries. In the UK, the ransomware wreaked havoc on the national medical system, locking doctors out of patient records and closing emergency rooms across the country.

Like most ransomware on the internet today, Wanna Decryptor demands you send Bitcoins to an address in order to unlock your computer. After locking your files, the ransomware demands you send the equivalent of $300 or $600 USD to a Bitcoin address.

The Wanna Decryptor malware exploits a known vulnerability discovered last month in Windows. That vulnerability was leaked onto the internet by a hacking group called Shadow Brokers, which claimed it had stolen the exploits from the US’s National Security Agency (NSA).

You Can Watch the Ransomware’s Bitcoin Wallets Receive Money in Real-Time

One of the coolest things about Bitcoin is the transparency of the payment platform. The platform is so transparent that you can watch the addresses associated with Wanna Decryptor receive their Bitcoin ransoms in real time.

At last count, the ransomware had infected 45,000 systems over a 24 hour period, which means payments are pouring into the address.

Security firm Quartz found the addresses and photos of the Bitcoin accounts on social media and tracked how much money each account had received.

Wallet 1

You can see this tweet, for example, where the airport in Frankfurt got hit with the ransomware. The address in that post is clearly visible as 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw. So far, that account has received 8 payments for a total of 1.33 in Bitcoin, working out to about $2,300 USD. This specific version of the ransomware demands payments of $300 in exchange for unlocking your files.

Just got to Frankfurt and took a picture of this… #Sbahn, you got a #Ransomware! pic.twitter.com/w0DODySL0p

— Marco (@Avas_Marco) May 12, 2017

Wallet 2

Another tweet identified the malware spreading through a lab at the university. The Bitcoin address associated with that version of the ransomware is 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. So far, that wallet has received 13 payments for a total of 2.42 BTC, or about $4,200 USD. Like the previous version, it demands payments of $300.

A ransomware spreading in the lab at the university pic.twitter.com/8dROVXXkQv

— 新ミームｓｔｅｒｃｈｅｆ (@dodicin) May 12, 2017

Wallet 3

Finally, we have wallet 3, spotted by someone monitoring the NHS’s systems. The wallet associated with that version of the ransomware can be found at the address 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Bitcoin records show that the wallet has received 7 payments for a total of just over 1 BTC, totaling around $1,720 USD in value.

BREAKING: Multiple NHS trusts across UK under malware attack. Actual screenshot of the threat ppl are seeing: https://t.co/ZBm6a7ImwQ pic.twitter.com/7NVy8xvfyD

— Shaun Lintern (@ShaunLintern) May 12, 2017

It’s unclear if sending money to the BTC address really unlocks your files – or if it’s just a ruse to get more money. However, in previous ransomware attacks, paying the hacker through Bitcoin has been the only way to restore access to your files.

Ultimately, the Wanna Decryptor malware is one of the most successful ransomware programs to date – and you can watch its success unfold in real-time thanks to the magical transparency of the Bitcoin blockchain.

We will update this Ransomware WannaCry Wanna Decryptor cyberattack as it unfolds and keep you in the loop as to how this bitcoin ransom payment demands play out.