Threat Management, Malware, Ransomware

Mystery user offers Petya/NotPetya decryption for nearly £200,000

Petya/NotPetya decryption, though considered nigh on impossible, is being offered by one anonymous individual who is demanding hundreds of thousands of dollars for the return of victims' data.

In a post titled #Petya.A #NotPetya, a user believed to be afiliated with the Petya/NotPetya gang posted on ToR site Deeppaste: "Send me 100 Bitcoins and you will get my private key to decrypt any hard disk." At current valuations, 100 bitcoins works out to US$256,000 (£198,000).

While many might try to make this claim, and reap the profits from defrauding desperate victims of last week's Petya/NotPetya campaign, this new post comes with some corroboration. Alongside the short message was the ransomware's private key, which was confirmed as legitimate by Forbes. The owners of that key would be able to decrypt individual files but not an affected computer's boot disk, which is encrypted differently from hard disk files.

Raj Samani, chief scientist and fellow at McAfee told SC Media UK that this is the key to the original Petya, not the same iteration behind the recent worldwide attacks: “It appears that the original developer for Petya has released the key because they wanted to help! The reputation of ransomware authors is taking a battering through consistent media attention on the proportion of victims who pay a ransom but are not granted access to their data.”

Attacks like NotPetya and Wannacry, in which even paying victims don't recieve their data back, “were actually detrimental to ransomware developers. Perhaps this decryption tool has been released to restore the reputation of those behind ransomware?”

Others have cautioned against paying even this, no matter how desperate they are. A post from Charles McFarland, senior research scientist at McAfee warned, “There's a large chance victims wouldn't even get their files back if they paid, as there is no guarantee that the authors will hold up their end of the bargain.”

Indeed, this offer flies in the face of the widely held theory that Petya/NotPetya was not meant to make money. The theory goes that the ransomware campaign was intended not to extort, but to destroy.

This theory was seemingly bolstered by the fact that even those who had paid were not able to get their data back. As a variety of commentators soon noted, this variant of ransomware was written without the victim ID, making it impossible for even its masters to unlock its encryption.

It's this simple fact which has led some to believe that this new offer is not all it's cracked up to be.

“It sounds like people trying to cash in on it”, Vince Warrington, founder of Protective Intelligence Ltd, told SC, reasoning that files encrypted Petya/NotPetya were widely regarded as unrecoverable by design: “The thing about ransomware is you do offer some kind of decryption service back to people because otherwise no one would pay.”

More likely, added McFarland, is that this is “an attempt by these cyber-criminals to add to the global confusion and create a smoke screen, concealing their true intentions. These offers should not be trusted.”

Petya/NotPetya's masters have been making some movements, however small. The Bitcoin wallet where victims were directed to pay their ransom was emptied on 4 July. For a campaign that ran so far and so wide, the attackers efforts amounted to a paltry 3.9 bitcoin (£7200).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.