CyberCrimeSecuritySecurity Management

NotPetya Hackers Move Virtual Ransom Funds

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Hackers empty bitcoin wallet of ransom funds and issue fresh ransom demand to unlock encrypted hard drives

The hackers behind the recent Petya ransomware attack have surfaced and attempted to access the ransom funds from the initial attack.

Last month the hackers had used a variant of Petya, dubbed NotPetya, to hit a number of Ukrainian companies as well as thousands of other companies all over the world.

And now it seems those hackers have attempted to access their ill gotten loot and have issued a fresh ransom demand.

NotPetyaMoved Ransom

The hackers have reportedly accessed the ransom payments they raised on Tuesday evening.

According to Motherboard, just over $10,000 (£7,900) of virtual currency has been moved from the Bitcoin address listed in the blackmail demand that appeared on hacked PCs.

“At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet,” said Motherboard. “A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.”

It is understood that the third and largest of the transfers went to an address that had previously been empty.

But the hackers were not stopping there, as it seems they have issued a fresh ransom demand on DeepPaste and Pastebin.

They are demanding 100 bitcoin (approximately $256,000 or £198,000) in exchange for the private key that decrypts any file encrypted with the NotPetya ransomware. However, the authors of the announcement did not include a bitcoin address where to send the payment.

They did however publish a link to a dark web chatroom where people could contact them.

Identify Yourself

However it seems as though experts are not convinced this fresh ransom demand is from the hackers. Some have suggested the announcement authors are just “trolling journalists.”

Indeed, the decision not to include a bitcoin address, but rather offer to chat to the victim, seems on the surface to be a risky move for the hackers.

Another risky move was also accessing the initial ransomware funds from the bitcoin wallet.

Motherboard said it had spoken to someone claiming to be one of the hackers on a dark web chatroom, and the supposed criminal offered to decrypt any file scrambled by the Petya-variant.

However, it is known that the NotPetya contains code that pretty much wipes compromised data rather than locks it. As such, NotPeya appears to have the potential to cause even more chaos than the WannaCry ransomware if it continues to spread.

Quiz: Test your knowledge on cyber security in 2017