NotPetya Ransomware Extortionists are Moving their Ill-Gotten Bitcoin
As reported by CCN.com, last week a global ransomware campaign, using a strain dubbed NotPetya by Kaspersky Labs, hit computers in over 60 countries and managed to receive over four bitcoins, over $10,000, from it. The payout is significantly lower than expected.
In May a ransomware strain known as WannaCry managed to raise over $130,000 in bitcoin from a global cyberattack. These recent payouts are relatively meaningless when compared to 2014’s CryptoWall ransomware, which managed to raise a whopping $325 million.
NotPetya’s bitcoin wallet, 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX , didn’t receive a lot of bitcoin after security experts revealed that the ransomware used faulty encryption, making file recovery impossible. Furthermore, the group’s email provider, German company Posteo, blocked their access to it, preventing them from reading emails and replying with instructions on how to decrypt.
Now, a Twitter bot designed to track transactions associated with NotPetya’s ransomware wallet , revealed that the group is moving its bitcoins. Most of its earnings – 3.96298755 bitcoins, worth over $10,000 – were sent to a new address, 1Ftixp78FjTWFi3ssJjBw5NqKf5ZPQjXBb , and two smaller payments were sent to addresses belonging PasteBin and DeepPaste.
It’s now believed the group is going to use a bitcoin mixing service to hide its tracks and get away with the amount raised from the cyberattack.
Selling NotPetya’s Decryption Key for 100 Bitcoins
The small transactions sent to PasteBin and DeepPost [deep web link], of about $300 each, are believed to prove the authenticity of messages posted on these websites, in which the extortionists offer NotPetya’s decryption key for 100 bitcoins (over $250,000). The messages read:
“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks)”
Near the end, the messages contained a link to a Deep Web slack-like chat application, which Bleeping Computer used to reach out to the hackers . In the channel, a user named “petya”, supposedly representing NotPetya, ignored most questions, but answered a few. According to Bleeping Computer, the group revealed that the key being sold is for the user-mode encryption module only, meaning that it will only decrypt files encrypted via the user-mode component.
Moreover, the group revealed it was willing to provide a demo of the private key to anyone willing to buy it, and that it had already received offers for it. However, it’s hard to comprehend why anyone would pay 100 bitcoins for the NotPetya private key.
Was the Attack Part of a Cyberwar?
As reported by The Guardian , the private key sale only raises further questions regarding NotPetya’s motives. At first, it was apparently a ransomware campaign launched by a group of extortionists trying get as much money as possible.
Then, once it was revealed that the malware had faulty encryption, researchers started to believe the attack’s goal was to cause widespread damage, and that the ransomware element was a smokescreen hiding its true intentions. Now, the $250,000 offer seems to show cash might’ve been the motivation behind the attack after all. It could, however, be part of the ruse.
The main vector compromised by the attack was the accounting program ME Doc, used to file taxes in Ukraine, the most affected country. This led various experts, and the Ukrainian government, to believe it was all part of the ongoing cyberwar between Russia and Ukraine.
Featured image from Shutterstock.
