The NotPetya situation took another turn earlier this week when around $10,000 was moved out of the bitcoin ransom wallet. Surprisingly, the hackers also made a new demand, asking for 100 bitcoins (around $256,000) in exchange for a private key that supposedly unlocks any file encrypted with the malware.
Three transfers out of the hackers’ bitcoin wallet took place on Tuesday. Two small amounts (0.1 bitcoins) were sent to accounts used by the PasteBin and DeepPaste text-sharing services. The rest went to an unknown address.
Just before the transfers, someone claiming to be responsible for NotPetya wrote a message on DeepPaste and Pastebin that read: "Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks)." It also contained a signature for NotPetya’s private key as proof it came from its creators.
Last week, researchers revealed NotPetya was primarily designed to damage infected systems by deleting their Master Boot Record. While the private key can’t repair entire systems, it can recover individual files.
No bitcoin address was provided to send the 100 bitcoins, but the hackers did publish a link to a dark web chatroom. When Motherboard interviewed one of those responsible, they said the price was so high because it’s a key “to decrypt all computers.”
While the evidence seems to indicate these are the people responsible for NotPetya, they have yet to prove it beyond doubt by demonstrating they can unlock an encrypted file with the key, despite being asked to do so by several publications.
Many claim NotPetya is actually wiper malware disguised to look like ransomware, and with Ukraine being hit harder than any other country, the finger of suspicion is pointing toward Russia being a state sponsor behind the attack. With this new development, are those responsible just trying to convince people that financial reward was their true goal all along?