Skip to main content
banner image
venafi logo

Expert Says WannaCry Aimed Higher than Ransom Money: Authors Wanted to Manipulate Financial Markets

Expert Says WannaCry Aimed Higher than Ransom Money: Authors Wanted to Manipulate Financial Markets

May 30, 2017 | David Bisson

A security expert believes the authors of WannaCry ransomware were primarily interested in Bitcoin insider trading. If this is true, then this type of misuse of encryption would prove to be much more egregious than simply stealing money or information. It could be used to achieve much larger gains by manipulating the value of cryptocurrency. And that’s only a hop, a skip and a jump from more serious market manipulations.  

On 12 May, an updated version of WannaCry ransomware hit the National Health Service (NHS) of England, the telecommunications provider Telefonica, and numerous other companies. It didn't target these entities specifically but spread via a Windows vulnerability using attack code developed by the NSA and leaked by the Shadow Brokers hacker group. Within days, it had spread to over 150 countries and affected more than 200,000 organizations.

The week following the ransomware's global outbreak, reports emerged of bugs in WannaCry's decryption method. These flaws prevented victims from recovering their files even if they paid the attackers. Some feel the issues were inadvertent and resulted from the attackers' desire to leverage the NSA's exploit before anyone else could. Others suspect the actual decryption of victims' files, and therefore a sustainable ransomware business model, had nothing to do with it.

Joseph Carson, a digital security expert at password management software provider Thycotic, told Security Week that the attackers developed WannaCry not to collect ransom payments but to manipulate the value of Bitcoin. He believes the actors sought to increase the cryptocurrency's worth with a proportional growth in the number of Bitcoin owners. By demanding Bitcoin-based ransom payments from so many victim companies, Carson reasons, the attackers thought they could generate more transactions and thereby elevate the cryptocurrency's worth.

The notion that more users could increase the value of something like Bitcoin isn't new. Back in 1980, an electrical engineer named Robert Metcalfe formulated the basis of what came to be known as Metcalfe's Law. The theory asserts that the monetary value of a telecommunications network is proportional to the square of the number of users of that network.

Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, shared on Reddit how Bitcoin's value agrees with principles like Metcalfe's Law:


"The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price. All these things are not understood by too many people, unfortunately. Also the price doesn't grow linearly with the number of users but instead with the power of 1.45 of the number of users. That is nice because for the price to increase 1000 times you need only 140 times the number of users of today."

If WannaCry's authors indeed sought to manipulate Bitcoin's value, their efforts proved successful. The cryptocurrency's value increased by 5.82 percent on 17 May. It then rose every day thereafter, peaking at $2,720, until 26 May when it fell by 5.33 percent due to what CryptoCompare called, "profit taking following several days of rally."

The developers of WannaCry are unlikely to reveal whether they used their ransomware purely for insider trading. But the thought that attackers would misuse malware with encryption capabilities to manipulate financial markets is no laughing matter. Neither is the idea that bad actors could abuse organizations' expired keys and certificates to deploy threats like WannaCry in the first place.

To counter the expanding flood of malware, organizations should take responsibility for their keys and certificates. This process ought to begin with an investment into a solution that allows them to monitor their keys and certificates for anomalous behavior.

Improve your organization's visibility today.

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more