Latest Ransomware Twist: A Ransom Demand of $250,000

A hacking group related to ransomware attack last week which locked up devices at multibillion-dollar organizations has apparently issued its first statement to public, demanding around $250,000 in lieu of a private encryption key used in the attack.

Motherboard spotted first the ransom note published on the dark web on Tuesday which states that the group apparently behind the NotPetya malware, also known as GoldenEye, demanded a ransom amount of 100 bitcoin in lieu of a key which, it claims that it could decrypt any file locked by the malware.

Ransom payments movement can be observed because of public nature of bitcoin currency: each and every transfer was recorded on public blockchain, even though the individuals or organisations real-world identities behind particular payment address might be almost impossible to discern.

theguardian.com posted on July 5th, 2017, stating that the blockchain currently records that bulk of ransom money, 7,872 Pounds worth of bitcoin, got simply transferred on Tuesday night to the second wallet, however 2 smaller payments of 200 Pounds each were gone to accounts used by 2 text-sharing websites, namely DeepPaste and Pastebin.

All of a sudden, funds were withdrawn from the wallet yesterday and routed to three other wallets. One was a formerly empty wallet created by whoever moved the money. The other two are owned by DeepPaste and PasteBin, services frequently used by hackers to announce their exploits.

Motherboard was not able to confirm that whether the people who posted the announcement, as well as the people in the chatroom, were the hackers behind NotPetya. Motherboard provided the alleged hackers with an encrypted file with the help of a security researcher and the corresponding readme.txt file created with NotPetya but the supposed hackers did not immediately provide the decrypted file.

It is not clear why the demand surfaced now, more than a week after the initial infections. Bulk of the largest organizations affected by the attack have already resumed operation restricting the potential customers for the 100-bitcoin payout. Since then, there has been significant assumption that the attack was planned to damage infrastructure of Ukraine rather than raise money. But according to reports, it does not appear that there have been any bitcoin transactions of that size.

» SPAMfighter News - 7/17/2017