Unknowns empty NotPetya bitcoin wallet – update

Spread the love

Unknowns virtually emptied the bitcoin wallet behind the NotPetya malware on Tuesday. In addition, two payments were made to Pastebin and DeepPaste from the bitcoin address, on which reports appeared that the encryption key for 100 bitcoin is for sale.

The transactions were noticed by Motherboard. In total, 3.96 bitcoin has been removed from the wallet, which translates to almost 9,000 euros. The coins are now registered in a new wallet, which has not yet performed any other transactions. Shortly before the bitcoins were siphoned off, two payments of about 0.11 bitcoin took place. These went to the addresses of DeepPaste and PasteBin. Shortly before that, two identical messages appeared on the sites, Motherboard said.

The message claims that the private key for decrypting every hard drive with the exception of boot disks will be sent for an amount of 100 bitcoins, converted almost 225,000 euros. In addition, the message states that a file signed with the private key is available. There is also a link to a chat room. Motherboard contacted the people behind the message, but could not confirm that they are actually the people behind NotPetya.

An interlocutor told the site that the price for the key is so high because it can be used to “decrypt all affected computers.” They also offered to decrypt a file as evidence, but when Motherboard sent a file with the help of a security researcher, there was no response. Researcher Matthew Suiche, who has been working with NotPetya and WannaCry for some time, is skeptical about the claims.

He argues that it may be a way to make it appear as though there is a financial purpose behind the attacks. Another possible aim could be to spread confusion and fud. Security firm F-Secure recently published an analysis of NotPetya’s encryption, which uses the Win32 API for encryption. The company states that decryption should be possible, but with many conditions.

Firstly, the private key must be present, which is not available until now. In addition, no files may have been added, moved or deleted between encryption and decryption. A third requirement is that the master file table is still intact. Finally, encryption may only have taken place once. The latter would be a major hurdle because the malware’s distribution techniques could potentially cause it to be encrypted twice.

Update, 16:07: Two security researchers confirm to Forbes that the signed file is proof that the people behind the message have the private key. The exception for the boot sector would have to do with the malware using a different encryption method.

The text on DeepPaste

You might also like
Exit mobile version