In the wake of the ransomware attack May 12, which affected nearly 300,000 computers across the globe, victims had to decide whether to pay up.
The message on their computers said their files would be unlocked if they sent $300 to one of three bitcoin addresses. If they didn’t pay within three days, the message said, the price would double. A few days after that, their files will be deleted without payment.
As with all bitcoin addresses, the associated accounts, typically called wallets, are accessible to the public. After the ransomware hit May 12, the whole world could watch these wallets as payments started coming in. We set up a Twitter bot that tweets each time it sees a new payment to one of the accounts.
On the first day, 36 payments of $200 or more hit those accounts. On the second day, there were 41. The peak was on Monday, May 15, when 69 payments of $200 or more hit the accounts.
But today, as of 4 p.m. EDT, there have been just six significant payments.
By now, the majority of infected computers, which are all Windows PCs that were vulnerable because they hadn’t been updated since Microsoft released a patch in March, have likely seen their ransom double to $600. And victims have found little incentive to pay, amid widespread reports that even if they do, the hackers still won’t give them the key to decrypt their files.
So far, about 215 payments of $200 or more have hit the the wallets associated with the attack, which now have a collective balance of about $80,000. Many have pointed out that isn’t much of a payoff for an attack that locked doctors in the U.K. out of patient records and forced emergency rooms to turn away ambulances.
The majority of payments to the wallets, at the time of their transactions, were either between $200 and $400, or under $100. The payments between $200 and $400 were likely to be the $300 ransom requested, but because of the rapidly changing bitcoin exchange rate, the value of the payments varied.
Many of the payments under $100 were actually for less than a dollar. That could be because of reluctant victims who wanted to test sending money in bitcoin before sending the ransom, but at the moment, it remains a mystery.
Leaving out those payments, all three wallets received payments that averaged between $250 and $450 each day.
It’s possible there will be another burst of payments as victims get closer to their deadlines. If they don’t pay the $600, the ransomware says it will delete all of their files. Experts have continuously said a payment at this point is essentially a donation to a criminal enterprise, and that victims should consider their files lost.
A malware tracker on MalwareTech.com shows of the 292,000 infected systems, only 360 are currently turned on and active. A second strain of the ransomware was released soon after the first, but was quickly curbed by security researchers. Many experts have warned a more sophisticated version of this ransomware that doesn’t include a “kill-switch,” as the others have, the impact could be far greater.