NotPetya Hackers Demand $258,000 Payment in Bitcoin to Decrypt Locked Files

NotPetya

The hackers behind the NotPetya ransomware have emerged again. This time they are demanding a one-off payment of 100 bitcoins to unlock victims’ files.

On the 27th June, reports of a global cyberattack emerged that started in the Ukraine, crippling its computer systems. Infecting some of the world’s biggest organisations, the ransomware targeted 60 countries and around 2,000 computers, demanding a payment of $300 worth of bitcoin to be paid to gain access to a decryption key.

However, shortly after the NotPetya ransomware infiltrated computer systems and victims had started paying the demand, victims still couldn’t gain access to their files.

Now, though, in a questionable move, the creators behind the cyberattack have risen again demanding payment to unlock victims’ files.

In a post on Pastebin, an unnamed party member wrote:

“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks).”

At the time of publishing, 100 bitcoins is worth $258,000.

Similar to WannaCry

In May, a global cyberattack that started in the U.K. eventually targeted 230,000 computers in 150 countries. Known as WannaCry, it used an Eternal Blue exploit enabling it to take advantage of system vulnerabilities.

The NotPetya ransomware is similar to WannaCry, in that it also employs the Eternal Blue exploit; however, it also uses the SMB network spreading technique. This means that even if organisations have patched against Eternal Blue it can still spread within organisations.

Unlike WannaCry, which was stopped via a kill switch, there were fears that it wouldn’t be possible to gain access to the NotPetya locked files again. This was because the email used by the hackers to communicate with victims to see who had paid the ransom demand was quickly blocked by the company providing it. With no way to gain access to the email the hackers couldn’t provide the decryption key to those who had paid, leaving many in a state of limbo.

Moving Bitcoin

Meanwhile, the hackers behind the NotPetya cyberattack have moved over $10,000 worth of bitcoin out of the wallet that victims had been paying into to a new wallet on Tuesday 4th July. All that remains in the old wallet is just over $115 worth of bitcoin.

Interestingly, it was at the same time when the funds were moved to a new wallet, that two separate transactions amounting to around $300 each were sent to accounts used by websites Pastebin and DeepPaste.

Shortly after that, posts were made on the websites by someone claiming that they had the decryption key that would unlock victims’ files. However, some are questioning the motives behind these posts and wondering what the next step will be from the criminals.

Possible Smokescreen

Significantly, some reports are claiming that the 100 bitcoin payment demand by the NotPetya hackers could be a smokescreen and that the real cause behind it is not to make money, but to create widespread panic.

According to an information security researcher by the name of grugq, the NotPetya software was ‘not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.”

Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, agrees and said on the Krebs on Security blog, that:

“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware. The best way to put it is that Petya’s payment infrastructure is a fecal theater.”

A report from Forbes claims that Ukraine believe this is a misdirection from cybercriminals backed by Russia; however, the Kremlin have denied any such claim.

The $1 Million Ransom

What happens next remains to be seen, but it will be interesting to see if victims pay the new payment demand in a bid to gain access to their files again. This, however, isn’t the first time that a company has paid out a large sum of money to criminals to unlock their files.

A South Korean web hosting firm was reported as paying a record $1 million to hackers to put an end to a ransomware crisis that had been going on for over seven days in June.

While the news of the ransomware wasn’t anything new in the technologically-advanced society we live in, what was interesting was the amount paid, and the fact that it was made public.

The ransomware, known as Erebus, infected 153 Linux servers as well as customers’ websites. However, it is capable of infecting up to 433 file types, including office documents, databases, archives and multimedia files.

Unfortunately, this will no doubt make way for future hackers that initiate ransomware cyberattacks who are doing it for the money. With such a huge payout in the South Korean case, it’s plausible that there will be more cases of this type to come.

Bad Name for Bitcoin

Once again, though, it doesn’t paint that best picture for bitcoin.

As the world’s first digital currency with a market cap value of over $42 billion, it remains the payment choice for criminals who want quick payment that is hard to trace.

At the time of publishing the price of bitcoin is trading around $2,600, according to CoinMarketCap; however, it still hasn’t gained previous highs that saw it achieving the $3,000 mark for the first time on the 11th June.

Who knows what will happen in the future with the currency’s price, but bitcoin seems to have established itself to the point where a global cyberattack doesn’t produce too much impact on its price. While its value will inevitably go up and down many have projected that its future remains bright, which will see it achieving new heights.

So much so, that a Saxo Bank analyst, who rightly predicted bitcoin to reach $2,000 in 2017, has said that bitcoin could be worth $100,000 each in 10 years time. For now, the currency is a long way off from that price, but if its achievements during the first half of 2017 are any indication, bitcoin could soon reach astronomical heights not seen before.

Featured image from Flickr via portal gda.