The ransom is on the move.
The Bitcoin wallet controlled by the NotPetya attackers showed surprising signs of life over the Fourth of July holiday weekend, with approximately $10,000 in paid ransom disappearing from the account. Around the same time, a message purporting to be from the culprits behind the maybe-ransomware attack surfaced — demanding 100 bitcoin in exchange for a key they say can unlock encrypted files.
At the time of writing, 100 bitcoin is worth approximately $260,000.
“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks),” read the message posted to Pastebin. “See the attached file signed with the key.”
As NotPetya, which first surfaced in Ukraine on June 27, has been shown to damage an infected computer’s master boot record, the person behind the message is only claiming to be able to decrypt specific files — not entire systems. Still, that ability could be a godsend for companies struggling to restore lost data, assuming the ransomer is telling the truth.
The new demand was posted on July 4, the same day ransom payments made in the hopes of obtaining decryption keys were moved from the Bitcoin address listed in the initial NotPetya attack to another wallet.
No new Bitcoin address was listed for payments should anyone decide to actually fork over the 100 bitcoin. However, a link was provided to a chatroom for the purpose of getting in touch with the hackers and presumably arranging payment.
Motherboard exchanged messages with someone claiming to be one of the hackers, who told the publication the key for sale would “decrypt all computers.”
So, should organizations desperate for their data pay up? It’s a tough question. Security researchers have more or less reached a consensus that the intention behind NotPetya was to damage cyber-infrastructure, not to make money. As such, the calculus for victims is different than it would be with a more traditional form of ransomware.
Either way, this latest series of developments — the transfer of funds between Bitcoin wallets and the new demand — serves to further muddy the waters behind the NotPetya attack. It also makes one thing clear: The story of the latest ransomware scourge to sweep the globe is not over yet.