Threat Management, Malware, Ransomware

Report: NotPetya actors created fraudulent payment site on Tor

The actors behind the NotPetya wiper malware created a payment site as a ruse to fool victims into thinking their ravaged files could be salvaged, even though there remains little guarantee of this, according to a new blog post from Cylance.

The adversaries added the fraudulent payment site to Tor, supposedly offering decryption keys to users who paid the ransom. In its online report, Cylance warned that the site, hosted at 23odsus7tobvmw5r(dot)onion, is perpetrating a scam.

As reported by Motherboard and other outlets, actors claiming to be the NotPetya hackers last week posted a message on DeepPaste, promising a private key that would decrypt all encrypted files for around $256,000 in Bitcoins. "After apparently providing proof of decryption abilities to various news outlets, it seemed likely that this message was posted by the original authors," Cylance wrote in the blog post. "However, for most people whose hard drives have been encrypted at the MFT level, paying the 100 BTC will be of little use, and this service is little more than a scam."

Researchers have by and large reported that there is no valid means of decrypting files hit by NotPetya.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.