And what explains it?
Notwithstanding the havoc that it has wreaked throughout the world, the WannaCry ransomware has fetched, for the attackers, less than USD 65,000—that is approximately INR 40 lakhs.
According to a Twitter bot, @actual_ransom that is tracking the payments to the three bitcoin wallets that are tied to the WannaCry ransomware, at the time of writing this (IST 15:30 16 May 2017), the three accounts had collectively received USD 64,472 from 233 payments. That is 36.0628 in bitcoin value.
The chart below depicts the number of payments (blue bars) and the total amount received (red line) by the three accounts over time—starting with 1.30 AM on Sunday to 3.30 PM today (Tuesday).
As can be seen, except for between 9.30 AM to 5.30 PM on 15 May (Monday), where a slight acceleration in payment was observed, it has by and large been uniform.
While the average value is quite close to the amount demanded by the attackers—that is USD 300—there has been a slight drop in the average value of actual payment over the two days. The average value has dropped from a high of USD 295 around USD 270 now.
So, what explains such a low return for the attackers?
First and foremost, as it can be seen, very few have paid. Globally, only 233 payments have been made.
This could be because while the attack has had width—both in terms of geography and number of users impacted—it lacked depth. Largely the older machines were affected. These could well have stored some critical information by some support functions (like accounts) but are rarely used in front-end operations systems. As a result, while most users—like Deutsche Bahn, the German rail operator or NHS hospitals in UK or Telefonica in Spain—have admitted to getting affected, they have clarified that operation has not been impacted. This is in sharp contrast to a small outage at the data center of Delta Airlines last August which almost halted the operations of the U.S based Airlines for several hours.
Since there has been no impact on operations, few have come forward to pay the ransom.
In that sense, a high-visibility, low impact attack like this is a low cost lesson for the entire business community and the governments. It woke them up, hopefully—we still do not know the full impact—with a small cost.