According to Cylance, the actors behind the NotPetya wiper malware recently created a scam payment site, hosted at 23odsus7tobvmw5r(dot)onion, that offers decryption keys to users who paid the ransom.
According to Cylance, the actors behind the NotPetya wiper malware recently created a scam payment site, hosted at 23odsus7tobvmw5r(dot)onion, that offers decryption keys to users who paid the ransom.

The actors behind the NotPetya wiper malware created a payment site as a ruse to fool victims into thinking their ravaged files could be salvaged, even though there remains little guarantee of this, according to a new blog post from Cylance.

The adversaries added the fraudulent payment site to Tor, supposedly offering decryption keys to users who paid the ransom. In its online report, Cylance warned that the site, hosted at 23odsus7tobvmw5r(dot)onion, is perpetrating a scam.

As reported by Motherboard and other outlets, actors claiming to be the NotPetya hackers last week posted a message on DeepPaste, promising a private key that would decrypt all encrypted files for around $256,000 in Bitcoins. "After apparently providing proof of decryption abilities to various news outlets, it seemed likely that this message was posted by the original authors," Cylance wrote in the blog post. "However, for most people whose hard drives have been encrypted at the MFT level, paying the 100 BTC will be of little use, and this service is little more than a scam."

Researchers have by and large reported that there is no valid means of decrypting files hit by NotPetya.