With the National Health Service brought down to its knees, Spain’s telecom giant sent into chaos, car factories, universities, ministries, some one hundred countries affected, you’d think millions would be pouring into ransomer’s bitcoin addresses, but after 24 hours, only $30,000 worth of bitcoin has been sent to four known addresses.

The one that has received the most is the address screenshotted below. It’s the most active out of the four, receiving nearly 6 bitcoins in 27 transactions. Hardly much really considering the scale of this event. Worth just over $10,000.

The other three addresses seem to have stopped receiving payments, with the one that received the most being the address holding around 4.4 bitcoins, worth $7,500. Not quite nothing, but that’s just a month’s salary for a competent developer and for a sophisticated one it could probably be earned perhaps even in just one week through very legitimate means.

The third address has stopped receiving payments around mid-day too, except for tiny amounts probably sent by blockchain analysts to keep track of the address. The victims have sent just 3.1 bitcoins, with no real payment received for now some three hours.

The final address we have found appears to continue receiving payments, with one sent just a few minutes ago. In total, only 3.2 bitcoins have been sent. Hardly an amount worthy of bringing down an hospital.

It may well be the case there are far more addresses belonging to the ransomers. However, Elliptic, a blockchain analysis firm that works with law enforcement and financial institutions, publicly stated around 15 hours ago that just $15,000 had been paid to known ransom addresses.

That would have been sort of half-way through the past 24 hours, therefore it appears the known addresses are not much more than the four we have identified above, although, of course, there may be addresses that remain unknown.

Another reason for such low amounts may be because the ransomers only ask for $300, seemingly targeting home computers, but in yesterday’s and currently on-going incident, they appeared to be targeting LAN networks which are usually found in businesses, industry, hospitals and schools/universities.

Interestingly, the amounts required as well as some of the wording and formatting seem to differ. In the screenshot above, for example, they ask for $300, which isn’t really easy to manage because bitcoin’s price is very volatile. $300 worth one minute can be $250 the next or $500.

So, in the below screenshot, with slightly nicer headers, they ask for 0.3 bitcoins, a somewhat more manageable task, but also a bit more expensive because 0.3 bitcoins is worth $500.

It is probable that the ransomers, when designing the software, were likely targeting 0.3 bitcoins to be worth around $300, which was around March when 1 bitcoin was worth around $1,000, suggesting that’s probably around the time this malware was coded.

What’s interesting to note is that this malware has a drop-down menu which provides the victims the ability to read what it says in many languages. Its design, therefore, must have taken considerable time and resources, while being an international effort or organized at a state level.

Considering the latter, if the attack is by a state actor then the very small amounts in question might make sense as the aim may have been disruption guised as profit seeking hackers. Because, whoever was sufficiently smart to create this sophisticated software must have known few ordinary individuals would value their laptop data so much and would have instead re-formatted, but, LAN organizations, like universities or hospitals, might be sufficiently desperate to pay far more than $300 for what may be invaluable data.

So what we might be seeing here in the above four addresses may be individual institutions sending such laughably small amounts considering the incredible disruption caused. That means, logically, the primary suspects are state actors, who perhaps may be engaging in a trial run of bringing down other nation’s infrastructure.

However, it may just be hackers, we do not quite know. If it is, that raises questions regarding our own intelligence services. Specifically, how could individuals organize to such extent as being able to translate this into so many languages without MI5, CIA, KGB, Mossad or any of the other intelligence agencies being aware of such incredible capacities that have brought down a nation’s hospitals?