Your Source for Leaks Around the World!

NotPetya Ransomware Hackers Surface Asking $250K for Master Key, Decrypt Test File as Proof

In Archive, Hacking on July 6, 2017 at 1:22 PM


Lorenzo Franceschi-Bicchierai & Joseph Cox/Motherboard (1)(2):

In an unexpected twist on Tuesday, the hackers gave their first sign of life since the attack.

At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet. A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.

At 9:23 PM UTC, and 9:20 PM UTC, around 11 minutes and 12 minutes before the hackers made the two donations, someone claiming to be behind NotPetya posted an announcement on DeepPaste and Pastebin.

The authors of the announcement asked for 100 bitcoin (roughly $256,000 at the time of writing) in exchange for the private key that supposedly decrypts any file encrypted with the NotPetya ransomware. Curiously, the authors didn’t provide a bitcoin address where to send the payment, but did publish a link to a dark web chatroom where people could contact them.

In an interview in the chatroom, someone purporting to be one of the hackers told Motherboard that the price was so high because it’s for the key “to decrypt all computers.”

“Are you interested in my offer?” they asked, offering to decrypt one file for free to prove they were legitimate. So we asked Anton Cherepanov, a researcher from cybersecurity company ESET, to send us a file encrypted with NotPetya. Cherepanov said he ran the malware on a virtual machine and sent us two files: a normal Word document containing information about Microsoft software, and the same file encrypted with NotPetya. The version of the file encrypted with NotPetya contained gibberish when opened in a word processor.

Around two hours after we provided the hackers with the encrypted file, they sent us the decrypted file, which matched the original, clean Word document.

This suggests the hackers do indeed have a key capable of unlocking files infected with NotPetya.

Both Cherepanov and Matthieu Suiche said that there are bugs in the ransomware that might prevent hackers from decrypting files larger than 1MB. (The file we sent the hackers was around 200KB.) Motherboard sent the hackers an additional file, but by that time the hackers had become unresponsive. Multiple other journalists noted on Twitter that the hackers did not respond to their questions.

Separately from this test, Cherepanov and a security researcher known as MalwareTech, both of whom have analyzed NotPetya, said that the hackers in the chatroom proved that they have access to NotPetya code. The hackers used the NotPetya private encryption key to sign the announcement they published on Pastebin and DeepPaste on Tuesday.

“They have key, so must be same people,” Cherepanov told Motherboard in an online chat.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: