Three months on from the global WannaCry cyberattack Attack.Ransom , someone has withdrawn funds acquired when victims paid ransoms Attack.Ransom . Almost three months on from the WannaCry ransomware outbreak Attack.Ransom , those behind the global cyberattack Attack.Ransom have finally cashed out their ransom payments Attack.Ransom . The WannaCry epidemic hit Attack.Ransom organisations around the world in May , with the file-encrypting malware -- which used a leaked NSA exploit -- attacking Attack.Ransom Windows systems . It infected over 300,000 PCs and crippling systems across the Americas , Europe , Russia , and China . The UK 's National Health Service was particularly badly hit Attack.Ransom by the attack Attack.Ransom , with hospitals and doctor 's surgeries knocked offline , and some services not restored until days after the ransomware hit Attack.Ransom . WannaCry continued to claim victims even after the initial outbreak : June saw Honda forced to shut down a factory due to an infection and speed cameras in Victoria , Australia also fell victim to the ransomware . While the attack Attack.Ransom was certainly high profile , mistakes in the code meant many victims of WannaCry Attack.Ransom were able to successfully unlock systems without giving into the demands Attack.Ransom of hackers . A bot tracking ransom payments Attack.Ransom says only 338 victims paid Attack.Ransom the $ 300 bitcoin ransom demand Attack.Ransom - not exactly a large haul for an attack which infected hundreds of thousands of computers . In the months since the attack Attack.Ransom , the bitcoin wallets containing the money extorted Attack.Ransom by WannaCry were left untouched , but August 3 saw them suddenly start to be emptied . At the time of withdrawal , the value of the wallets totalled $ 140,000 thanks to changes in the valuation of bitcoin . Three separate withdrawals between 7.3 bitcoin ( $ 20,055 ) and 9.67 bitcoin ( $ 26,435 ) were made in the space of a minute at 4:10am BST , accounting for around half of the total value of the extorted funds . Five minutes later , three more withdrawals of between seven bitcoin ( $ 19.318 ) and 10 Bitcoin ( $ 27,514 ) were made in the space of another 60 seconds . Ten minutes later , a final withdrawal was made , emptying the remaining bitcoin from the WannaCry wallets . There 's no official confirmation of who carried out the attack , but both private cybersecurity firms and investigating government agencies have pointed to North Korea as the culprit . A month after WannaCry Attack.Ransom , companies around the world found themselves being hit Attack.Ransom by another fast-spreading cyberattack in the form of Petya , which like WannaCry is still causing issues for some of those affected . Unfortunately , the success of WannaCry and Petya infection rates means many cybercriminal groups are attempting to copy the worm-like features of these viruses for their own ends .

Bitcoin-seeking hackers are using old-school tricks to socially engineer would-be cryptocurrency exchange executives , researchers warn . An attack group tied to North Korea has `` launched a malicious spear-phishing campaign Attack.Phishing using the lure Attack.Phishing of a job opening for the CFO role at a European-based cryptocurrency company , '' researchers at Secureworks Counter Threat Unit warn in a report . The CTU researchers refer to the group behind the attack as `` Nickel Academy , '' although it is perhaps better known as the Lazarus Group ( see Kaspersky Links North Korean IP Address to Lazarus ) . The group has been tied to numerous attacks , including the attempted theft of nearly $ 1 billion from the central bank of Bangladesh 's New York Federal Reserve account , leading to $ 81 million being stolen ; the WannaCry ransomware outbreak Attack.Ransom in May ; as well as the use of cryptocurrency mining malware named Adylkuzz to attack the same flaw in Windows server block messaging that WannaCry also targeted ( see Cybercriminals Go Cryptocurrency Crazy : 9 Factors ) . Security researchers say Lazarus has also been running a series of job lure phishing attacks Attack.Phishing since at least 2016 , with the latest round being delivered around Oct. 25 of this year . The malicious code has `` solid technical linkages '' to attacks previously attributed to Lazarus , CTU says ( see Report : North Korea Seeks Bitcoins to Bypass Sanctions ) . Researchers at Israeli cybersecurity startup Intezer also believe the code has been reused by Lazarus , based on a review of attack code that 's been seen in the wild since 2014 . The fake job advertisement pretends to be Attack.Phishing for Luno , a bitcoin wallet software and cryptocurrency exchange based in London , according to an analysis of the phishing messages published Tuesday by Jay Rosenberg , a senior security researcher at Intezer . Luno says it 's been alerted to the fake emails bearing Attack.Phishing its name . `` We 're aware of this issue and are investigating thoroughly , '' Luno tells ISMG . If recipients of the latest CFO job lure Attack.Phishing phishing emails open an attached Microsoft Word document , it triggers Attack.Phishing a pop-up message inviting them to enable editing functions . The CTU researchers say this is an attempt to enable macros in Word , so that a malicious macro hidden inside the document can execute . If it does , the macro creates a decoy document - the fake CFO job lure - as well as installs a first-stage remote access Trojan RAT in the background . Once the RAT is running on the victim 's PC , attackers can use it to install additional malware onto the system , such as keystroke loggers and password stealers ( see Hello ! Can You Please Enable Macros ? ) . The CTU researchers say the job listing appears to have been stolen Attack.Databreach from a legitimate CFO job listing posted to LinkedIn by a cryptocurrency firm in Asia . While the researchers say that Lazarus has done this previously , unusually in this case , some typographical errors in the original listing were expunged . The researchers add that this phishing campaign Attack.Phishing does not appear to target any specific firm or individual , but rather to be more broadly aimed . `` There are common elements in the macro and in the first-stage RAT used in this campaign with former campaigns , '' the researchers write . The custom command-and-control network code that controls infected endpoints also includes components that were seen in previous attacks tied to Lazarus , they add .