The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don’t know who or why. We’re not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors — but none of these has gained general acceptance.
The basic problem is that elements of Wannacry just don’t make sense. The scale and rapidity of its spread, although not unprecedented, points to expertise and resources. This together with some code similarities has led to suggestions that it was a nation-state attack emanating from North Korea.
But inefficiencies in collecting the ransom is not likely from a group as experienced as Lazarus; and the absence of any visible political motive throws doubt on the idea that any nation-state actor was involved.
Thycotic’s cyber security and digital forensics expert, Joseph Carson, has an alternative theory: the motive behind Wannacry was effectively insider trading following currency manipulation. Bitcoin was the real target.
If he is right, it explains the efficiency of the attack (the primary motive) and the inefficiency of the ransom collection (which was neither part of nor important to the plan).
Talking to SecurityWeek, Carson explained that one common theory on the value of Bitcoin is an application of Metcalfe’s Law. Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2) (Wikipedia). Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, has applied this to Bitcoin: “The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price.”
This is Carson’s starting point. If you want to manipulate Bitcoin value, he told SecurityWeek, you cause a sudden increase in the number of users. This is most easily measured by the number of Bitcoin wallets in existence. A global ransomware outbreak, demanding payment by Bitcoin, would certainly have such an effect: both direct victims and judicious organizations are likely to obtain wallets.
“WannaCry,” he suggested, “was a sleight of hand, a deception. The ransomware was merely a mechanism to get a large number of people to open a Bitcoin wallet — and that by itself would drive up the value of Bitcoin.” It could almost be described as a version of insider trading based on a sophisticated form of ‘pump and dump’: the criminals could invest in Bitcoin, pump its value through encouraging the growth of wallets, and then dump the Bitcoin to take their profits.
This theory is supported by Bitcoin currency movement during May. The following details come from CryptoCompare.com. On May 1, Bitcoin was reported reaching an all-time high of $1,379.28. The price grew steadily and consistently until May 11 when it reached $1,817 on the eve of Wannacry. On May 12, WannaCry Day, it fell back by 3.93% to $1,776.95. Did criminals slowly drive up the price by their own investment in Bitcoin, ceasing further activity as soon as Wannacry was released?
Om May 13, Bitcoin fell another 3.28% to $1,735.03; and again on May 14 by 2.99% to $1,684.44. But it’s what happened next that is interesting. On May 17, CryptoCompare reported, “Bitcoin is up 5.82% at $1,785.22.” On May 18 it was $1,821.24. On May 19 it was $1913. On May 20 it was $2,158, and it just kept going — until, on May 26, CryptoCompare reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.”
Three days later, it reported, “Bitcoin has dropped 5.33% in the last 24 hours. Volumes are quite high, with over $580M dollars exchanged in the USD market, more than half a billion. The Bitcoin pull back is associated with profit taking following several days of rally.” During this period, Bitcoin peaked at $2720 — almost exactly twice the price it started the month.
The simple reality is that these figures would support Carson’s theory: the primary purpose of WannaCry was a deceptive means of currency manipulation. This was currency manipulation on a massive scale.