Whoever is in control of the NotPetya bitcoin wallet has moved around $10,000 of funds, and a mysterious group has offered to unlock all of the ransomed files.
Hackers connected to the disruptive world-wide ransomware attack that crippled Ukraine and hit computers all over the world have surfaced online. Bitcoin sent to the hackers by victims has been moved from an online wallet, and someone seemingly connected to the group is now asking for more money.
On June 28, unknown hackers unleashed a ransomware attack in part via booby-trapped software updates from a Ukrainian financial software company, hitting several Ukrainian companies, as well as the international law firm DLA Piper, the UK-based advertising and public relations firm WPP, among thousands of others. The hackers used a variant of a type of ransomware known as Petya, which led some security researchers to call this one NotPetya.
Despite the reach and disruptiveness of the ransomware, which seemed to indicate it was made by sophisticated attackers, the hackers didn’t set it up in a way that it’d be easy for victims to pay. In fact, some security researchers reached the conclusion that the hackers’ real goal was to wipe computers, while pretending to infect them with ransomware. In other words, the hackers didn’t really care about getting money, and just wanted to wreak havoc.
In an unexpected twist on Tuesday, the hackers gave their first sign of life since the attack.
At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet. A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.
At 9:23 PM UTC, and 9:20 PM UTC, around 11 minutes and 12 minutes before the hackers made the two donations, someone claiming to be behind NotPetya posted an announcement on DeepPaste and Pastebin.
The authors of the announcement asked for 100 bitcoin (roughly $256,000 at the time of writing) in exchange for the private key that supposedly decrypts any file encrypted with the NotPetya ransomware. Curiously, the authors didn’t provide a bitcoin address where to send the payment, but did publish a link to a dark web chatroom where people could contact them.
In an interview in the chatroom, someone purporting to be one of the hackers told Motherboard that the price was so high because it’s for the key “to decrypt all computers.”
“Are you interested in my offer?” they asked, offering to decrypt a file for free as a test.
Motherboard could not confirm that the people who posted the announcement, as well as the people in the chatroom, were the hackers behind NotPetya. With the help of a security researcher, Motherboard provided the alleged hackers with an encrypted file, and the corresponding readme.txt file created with NotPetya, but the alleged hackers did not immediately provide the decrypted file.
Matt Suiche, a security researcher who has analyzed NotPetya, was skeptical about the alleged hackers’ motives, saying they are just “trolling journalists.”
“This is a fear, uncertainty and doubt case,” Suiche, who’s the founder of Comae Technologies, told Motherboard in an online chat. “This is a clear attempt from the attackers to try to further confuse the audience, by changing the wiper narrative into a ransomware one again.”
At this point, it’s unclear if the hackers behind NotPetya are the same people who wrote the announcement and asked for 100 bitcoin. But for the first time since the outbreak, whoever is in control of the NotPetya wallet has definitely moved the money, giving a new reason to researchers, law enforcement, and whoever else is tracking the hackers, to scratch their heads.