Skip navigation

R⁶ — Tracking WannaCry Bitcoin Wallet Payments with R

If you follow me on Twitter or monitor @Rapid7’s Community Blog you know I’ve been involved a bit in the WannaCry ransomworm triage.

One thing I’ve been doing is making charts of the hourly contribution to the Bitcoin addresses that the current/main attackers are using to accept ransom payments (which you really shouldn’t pay, now, even if you are impacted as it’s unlikely they’re actually giving up keys anymore because the likelihood of them getting cash out of the wallets without getting caught is pretty slim).

There’s a full-on CRAN-ified Rbitcoin package but I didn’t need the functionality in it (yet) to do the monitoring. I posted a hastily-crafted gist on Friday so folks could play along at home, but the code here is a bit more nuanced (and does more).

In the spirit of these R⁶ posts, the following is presented without further commentary apart from the interwoven comments with the exception that this method captures super-micro-payments that do not necessarily translate 1:1 to victim count (it’s well within ball-park estimates but not precise w/o introspecting each transaction).

library(jsonlite)
library(hrbrthemes)
library(tidyverse)

# the wallets accepting ransom payments

wallets <- c(
  "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn",
  "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw",
  "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
)

# easy way to get each wallet info vs bringing in the Rbitcoin package

sprintf("https://blockchain.info/rawaddr/%s", wallets) %>%
  map(jsonlite::fromJSON) -> chains

# get the current USD conversion (tho the above has this, too)

curr_price <- jsonlite::fromJSON("https://blockchain.info/ticker")

# calculate some basic stats

tot_bc <- sum(map_dbl(chains, "total_received")) / 10e7
tot_usd <- tot_bc * curr_price$USD$last
tot_xts <- sum(map_dbl(chains, "n_tx"))

# This needs to be modified once the counters go above 100 and also needs to
# account for rate limits in the blockchain.info API

paged <- which(map_dbl(chains, "n_tx") > 50)
if (length(paged) > 0) {
  sprintf("https://blockchain.info/rawaddr/%s?offset=50", wallets[paged]) %>%
    map(jsonlite::fromJSON) -> chains2
}

# We want hourly data across all transactions

map_df(chains, "txs") %>%
  bind_rows(map_df(chains2, "txs")) %>% 
  mutate(xts = anytime::anytime(time),
         xts = as.POSIXct(format(xts, "%Y-%m-%d %H:00:00"), origin="GMT")) %>%
  count(xts) -> xdf

# Plot it

ggplot(xdf, aes(xts, y = n)) +
  geom_col() +
  scale_y_comma(limits = c(0, max(xdf$n))) +
  labs(x = "Day/Time (GMT)", y = "# Transactions",
       title = "Bitcoin Ransom Payments-per-hour Since #WannaCry Ransomworm Launch",
       subtitle=sprintf("%s transactions to-date; %s total bitcoin; %s USD; Chart generated at: %s EDT",
                        scales::comma(tot_xts), tot_bc, scales::dollar(tot_usd), Sys.time())) +
  theme_ipsum_rc(grid="Y")

I hope all goes well with everyone as you try to ride out this ransomworm storm over the coming weeks. It will likely linger for quite a while, so make sure you patch!

25 Trackbacks/Pingbacks

  1. By R⁶ — Tracking WannaCry Bitcoin Wallet Payments with R | A bunch of data on 15 May 2017 at 2:52 am

    […] article was first published on R – rud.is, and kindly contributed to […]

  2. By R⁶ — Tracking WannaCry Bitcoin Wallet Payments with R – Mubashir Qasim on 15 May 2017 at 6:17 am

    […] article was first published on R – rud.is, and kindly contributed to […]

  3. By Watch WannaCry attack geography in real time – CNET – Victory 2018 on 15 May 2017 at 10:50 am

    […] also an site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  4. By Watch WannaCry attack geography in real time – CNET | Newstories on 15 May 2017 at 10:51 am

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  5. By Watch WannaCry attack geography in real time - CNET - Black Crow Advertising on 15 May 2017 at 10:54 am

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  6. By Watch WannaCry attack geography in real time – CNET | iTruck NEWS on 15 May 2017 at 10:57 am

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  7. By Watch WannaCry attack geography in real time – CNET – Trending News on 15 May 2017 at 11:01 am

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  8. By Watch WannaCry attack geography in real time - CNET - Nerd Junkie on 15 May 2017 at 11:03 am

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  9. By Watch WannaCry attack geography in real time - CNET - Right2Work, Inc. on 15 May 2017 at 11:24 am

    […] another site shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  10. By Watch WannaCry attack worldwide in real time – CNET – Victory 2018 on 15 May 2017 at 11:40 am

    […] another site shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  11. By Watch WannaCry attack worldwide in real time - CNET - Grejeen Trends on 15 May 2017 at 11:51 am

    […] another site shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  12. By Watch WannaCry attack geography in real time – CNET | Tech Camp on 15 May 2017 at 12:21 pm

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  13. By Watch WannaCry attack worldwide in real time - CNET - Nerd Junkie on 15 May 2017 at 12:32 pm

    […] there’s a site that shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  14. By Watch WannaCry attack worldwide in real time – CNET on 15 May 2017 at 2:53 pm

    […] another site shows hourly Bitcoin ransom payments over the course of the outbreak, though it's just estimated data. If the site is correct, the […]

  15. By Watch WannaCry attack worldwide in real time - CNET - InfoSecHotSpot on 15 May 2017 at 3:23 pm

    […] another site shows hourly Bitcoin ransom payments over the course of the outbreak, though it’s just estimated data. If the site is correct, the […]

  16. By WannaCry勒索病毒感染分布及黑客比特币交易追踪 - 每天进步一点 on 16 May 2017 at 4:36 am

    […] 另外,网友也制作了向黑客交易比特币的追踪网站,结果显示在结果美东时间14号晚22点,黑客完成144比交易,拿到的“赎金”接近3.8万美元,但从趋势上来看,呈快速削弱。 […]

  17. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 – デジタル on 16 May 2017 at 1:51 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  18. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 | monono.biz on 16 May 2017 at 3:26 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  19. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 | monono.click on 16 May 2017 at 5:03 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  20. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 – ITC on 16 May 2017 at 5:16 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  21. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 – digital-gadget.click on 16 May 2017 at 5:17 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  22. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 | omotyaya.click on 16 May 2017 at 5:19 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  23. By ランサムウェア「WannaCry」感染状況のリアルタイムマップが公開中 – itips.click on 16 May 2017 at 5:54 pm

    […]  これとは別に、概算データにすぎないが、WannaCryが猛威を振るい始めてからのBitcoinでの身代金支払いを1時間単位で示しているサイトもある。このサイトの情報が正しいとすれば、12日以降、身代金支払いは大幅に減少している。 […]

  24. By WannaCry勒索病毒中的愚蠢bug,赎金打水漂可能正是该漏洞所致 – 中国网络空间安全 on 18 May 2017 at 5:33 am

    […] 参考来源:securityweek,theguardian,bitinfocharts,rud,Elaine编译,转载请注明来自FreeBuf.COM […]

  25. By WannaCry勒索病毒中的愚蠢Bug,赎金打水漂可能正是该漏洞所致…… – 安百科技 on 18 May 2017 at 7:44 pm

    […] *参考来源:securityweek,theguardian,bitinfocharts,rud,Elaine编译,转载请注明来自FreeBuf.COM […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.