Keith Collins | Quartz | May 18, 2017 | 0 Comments

Victims of the WannaCry Ransomware Attacks Have Stopped Paying Up


In the wake of the ransomware attack May 12, which affected nearly 300,000 computers across the globe, victims had to decide whether to pay up.

The message on their computers said their files would be unlocked if they sent $300 to one of three bitcoin addresses. If they didn’t pay within three days, the message said, the price would double. A few days after that, their files will be deleted without payment.

As with all bitcoin addresses, the associated accounts, typically called wallets, are accessible to the public. After the ransomware hit May 12, the whole world could watch these wallets as payments started coming in. We set up a Twitter bot that tweets each time it sees a new payment to one of the accounts.

On the first day, 36 payments of $200 or more hit those accounts. On the second day, there were 41. The peak was on Monday, May 15, when 69 payments of $200 or more hit the accounts.

But today, as of 4 p.m. EDT, there have been just six significant payments.


By now, the majority of infected computers, which are all Windows PCs that were vulnerable because they hadn’t been updated since Microsoft released a patch in March, have likely seen their ransom double to $600. And victims have found little incentive to pay, amid widespread reports that even if they do, the hackers still won’t give them the key to decrypt their files.

So far, about 215 payments of $200 or more have hit the the wallets associated with the attack, which now have a collective balance of about $80,000. Many have pointed out that isn’t much of a payoff for an attack that locked doctors in the U.K. out of patient records and forced emergency rooms to turn away ambulances.

The majority of payments to the wallets, at the time of their transactions, were either between $200 and $400, or under $100. The payments between $200 and $400 were likely to be the $300 ransom requested, but because of the rapidly changing bitcoin exchange rate, the value of the payments varied.

Many of the payments under $100 were actually for less than a dollar. That could be because of reluctant victims who wanted to test sending money in bitcoin before sending the ransom, but at the moment, it remains a mystery.

Leaving out those payments, all three wallets received payments that averaged between $250 and $450 each day.


It’s possible there will be another burst of payments as victims get closer to their deadlines. If they don’t pay the $600, the ransomware says it will delete all of their files. Experts have continuously said a payment at this point is essentially a donation to a criminal enterprise, and that victims should consider their files lost.

malware tracker on shows of the 292,000 infected systems, only 360 are currently turned on and active. A second strain of the ransomware was released soon after the first, but was quickly curbed by security researchers. Many experts have warned a more sophisticated version of this ransomware that doesn’t include a “kill-switch,” as the others have, the impact could be far greater.


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.