Skip to main content

Petya attackers are back with new demands

(Image credit: Image source: Shutterstock/Martial Red)

Criminals behind the recent Petya/NotPetya attack have made a fresh ransom demand as they look to continue their mayhem

A post on online hub DeepPaste  said to be from the attackers is demanding 100 bitcoins (£198,500) to decrypt anything that's been affected by the recent attack. Motherboard managed to get in touch with one of the individuals claiming to be from the group. They tried the decryption on a file, and after a two-hour wait, it was successful.

However, Prof Alan Woodward from the University of Surrey  told BBC News that this doesn't necessarily mean the key could decrypt everything.

"Once the PC's MFT [Master File Table] is corrupted the files on that disc are lost," he explained, referring to the fact that the virus had scrambled a critical part of the PCs' operating systems and not just individual documents.

"And as far as we can tell, there is an error in the encryption they used, so larger files can't be decrypted."

The news report also claims that someone moved £7,900-worth of virtual currency from the Bitcoin address listed in the blackmail demand. Security researchers believe noone else but the hackers behind the attack had access to that address, meaning it had to be them moving the funds.

"Unless the hackers gave away the Bitcoin account linked to the original ransom demand, only they could have moved the funds," Woodward told the BBC.

"People are gobsmacked they have gone anywhere near it - they can't be daft enough to try and cash it out. As far as we can tell, there's no way to actually decrypt affected PCs even if you paid the new demand. So, it may be that they are trying to lead a false trail away from themselves."

The funds were moved at 22:32 BST on Tuesday. There have been a total of three transfers, two of which were sent to Bitcoin wallets used to collect donations to the PasteBin and DeepPaste text-sharing services.

The third (and largest, apparently) went to a previously empty account.

Image source: Shutterstock/Martial Red