NotPetya Ransomware Hackers Want 100 Bitcoins for Decryption Keys

The story of last week’s NotPetya ransomware outbreak has taken an unexpected turn. The ransomed funds have remained idle in a Bitcoin wallet ever since the attack was mitigated by Ukrainian authorities, but now the money is on the move. Someone claiming to be behind the attack has withdrawn the funds and posted a new ransom demand. For the low price of 100 Bitcoins, he or she will hand over the master decryption keys for the NotPetya malware.

The NotPetya ransomware started hitting computers in late June, just weeks after the similar WannaCry attack occurred. In fact, both pieces of malware used the EternalBlue Windows exploit exposed by leaked NSA documents. Like all ransomware, NotPetya encrypts files when it hits a new machine, then pops up a notice to send Bitcoins to a certain address in exchange for the key. NotPetya came with the added bonus of deleting certain system-level files, which rendered machines unable to boot. It appears the intention was never to provide the encryption keys at all.

That makes the latest move all the more confounding. The Bitcoin blockchain is public, so researchers and authorities were watching the wallet address that received payments for NotPetya. The wallet was sent around four Bitcoins, which works out to over $ 10,000. At $ 300 per ransom, that works out to more than 30 victims paying up at $ 300 each. And they probably got nothing in return.

The funds were suddenly withdrawn from the wallet yesterday and routed to three other wallets. One was a previously empty wallet set up by whoever moved the money. The other two are owned by PasteBin and DeepPaste, services often used by hackers to announce their exploits.

petya_statement

Shortly after the transfer, the Tor-only DeepPaste posted a message allegedly from the NotPetya author demanding 100 Bitcoins in exchange for the master decryption keys. The message says no boot disks can be recovered (because of those deleted files), but files that were encrypted can be recovered. If someone bought the key, they could theoretically try to extort funds from those already infected with the malware. However, they’d have to be very successful at it to make back the $ 261,000 investment.

It’s still unknown who was behind the attack. Ukraine, which was the target of most Petya infections, has blamed Russia. Cybersecurity experts are surprised the money was moved at all, as it would be difficult to withdraw it anyplace without being tracked. It’s possible the entire thing is a ruse intended to deflect investigators, but only someone involved with NotPetya could have accessed the Bitcoin wallet. They’re still out there.

Let’s block ads! (Why?)

ExtremeTechExtremeTech