1. Home >
  2. Internet & Security

NotPetya Ransomware Hackers Want 100 Bitcoins for Decryption Keys

Someone claiming to be behind the attack has withdrawn the funds and posted a new ransom demand.
By Ryan Whitwam
petya

The story of last week's NotPetya ransomware outbreak has taken an unexpected turn. The ransomed funds have remained idle in a Bitcoin wallet ever since the attack was mitigated by Ukrainian authorities, but now the money is on the move. Someone claiming to be behind the attack has withdrawn the funds and posted a new ransom demand. For the low price of 100 Bitcoins, he or she will hand over(Opens in a new window) the master decryption keys for the NotPetya malware.

The NotPetya ransomware started hitting computers in late June, just weeks after the similar WannaCry attack occurred. In fact, both pieces of malware used the EternalBlue Windows exploit exposed by leaked NSA documents. Like all ransomware, NotPetya encrypts files when it hits a new machine, then pops up a notice to send Bitcoins to a certain address in exchange for the key. NotPetya came with the added bonus of deleting certain system-level files, which rendered machines unable to boot. It appears the intention was never to provide the encryption keys at all.

That makes the latest move all the more confounding. The Bitcoin blockchain is public, so researchers and authorities were watching the wallet address(Opens in a new window) that received payments for NotPetya. The wallet was sent around four Bitcoins, which works out to over $10,000. At $300 per ransom, that works out to more than 30 victims paying up at $300 each. And they probably got nothing in return.

The funds were suddenly withdrawn from the wallet yesterday and routed to three other wallets. One was a previously empty wallet set up by whoever moved the money. The other two are owned by PasteBin and DeepPaste, services often used by hackers to announce their exploits.

petya_statement

Shortly after the transfer, the Tor-only DeepPaste posted a message allegedly from the NotPetya author demanding 100 Bitcoins in exchange for the master decryption keys. The message says no boot disks can be recovered (because of those deleted files), but files that were encrypted can be recovered. If someone bought the key, they could theoretically try to extort funds from those already infected with the malware. However, they'd have to be very successful at it to make back the $261,000 investment.

It's still unknown who was behind the attack. Ukraine, which was the target of most Petya infections, has blamed Russia. Cybersecurity experts are surprised the money was moved at all, as it would be difficult to withdraw it anyplace without being tracked. It's possible the entire thing is a ruse intended to deflect investigators, but only someone involved with NotPetya could have accessed the Bitcoin wallet. They're still out there.

Tagged In

Ransomware Security Malware Notpetya Bitcoins

More from Internet & Security

Examples of posts with Meta's "Made with AI" label on them.
Meta Will Begin Labeling AI-Generated Content. Is It Enough to Combat Misinformation?
By Adrianna Nine
Close-up of the YouTube listing in the iPadOS App Store.
YouTube Cracks Down on Third-Party Media Players That Block Ads
By Adrianna Nine
Someone typing on a computer keyboard.
US Cybersecurity Agency Will Review Malware Samples Sent by the Public
By Adrianna Nine
Twitter fire
Twitter Tries, Fails, to Swap its URLs for X.com
By Ryan Whitwam
iPhone face-down on a table.
iPhone Users in 92 Countries Receive Warning About 'Mercenary Spyware Attack'
By Adrianna Nine
Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up