Skip to navigationSkip to content

Victims of the WannaCry ransomware attacks have stopped paying up

@fendifille on Twitter
Nearly 300,000 infected, fewer than 300 have paid
  • Keith Collins
By Keith Collins

Tech Reporter

Published Last updated This article is more than 2 years old.

In the wake of the ransomware attack on May 12, which affected nearly 300,000 computers across the globe, victims had to decide whether to pay up.

The message on their computers said their files would be unlocked if they sent $300 to one of three bitcoin addresses. If they didn’t pay within three days, the message said, the price would double. A few days after that, their files will be deleted without payment.

All bitcoin addresses have associated accounts, typically called wallets, which are accessible to the public. After the ransomware attack on May 12, the whole world could watch the three bitcoin wallets the hackers had setup as payments started coming in. We setup a Twitter bot that tweets each time it sees a new payment to one of the accounts.

On the first day, 36 payments of $200 or more went into those accounts. On the second day, there were 41. The peak was on Monday, May 15, when 69 payments of $200 or more hit the accounts.

But today, as of 6 p.m. EDT, there were just eight significant payments.

Here’s what incoming payments to the three bitcoin wallets looked like by the hour:

By now, the majority of infected computers, which are all Windows PCs that were vulnerable because they hadn’t been updated since Microsoft released a patch in March, have likely seen their ransom double to $600. And victims have found little incentive to pay, amid widespread reports that even if they do, the hackers still won’t give them the key to decrypt their files.

So far, about 215 payments of $200 or more have hit the the wallets associated with the attack, which now have a collective balance of about $80,000. Many have pointed out that it isn’t much of a payoff for an attack that locked doctors out of patient records in the U.K. and forced emergency rooms to turn away ambulances.

The majority of payments to the wallets, at the time of their transactions, were either between $200 and $400, or under $100. The payments between $200 and $400 were likely to be the $300 ransom requested, but because of the rapidly changing bitcoin exchange rate, the value of the payments varied.

Many of the payments under $100 were actually for less than a dollar. That could be due to reluctant victims who wanted to test sending money in bitcoin before sending the ransom, but at the moment it remains a mystery.

Leaving out those small transactions, all three wallets received payments that averaged between $250 and $450 each day.

It’s possible that there will be another burst of ransom payments as victims get closer to their deadlines. If they don’t pay the $600, the ransomware says it will delete all of their files. Experts have continuously said that a payment at this point is essentially a donation to a criminal enterprise, and that victims should consider their files lost.

A malware tracker on shows that of the 292,000 infected systems, only 360 are currently turned on and active. A second strain of the ransomware was released soon after the first, but was quickly curbed by security researchers. Many experts have warned that if hackers develop a more sophisticated version of this ransomware–one that doesn’t include a “kill-switch,” as the others have–the impact could be far greater than what we’ve seen in the past week.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.