A group of hackers who targeted several companies and facilities in Ukraine last week and made $10,000, has struck again and is now demanding an even bigger amount – $250,000.
The hackers behind the NotPetya ransomware, which ravaged computers in more than 60 countries in late June, have moved more than £8,000 worth of bitcoins out of the account used to receive the ransoms. “Send us 100 Bitcoins,” the hackers wrote in a message posted online on July 4, “and you will get my private key to decrypt any hard disk.”
The Petya/NotPetya computer attack shut down critical services in Ukraine last week, then spread throughout Europe and the United States, locking users out of their files and demanding they pay $300 in bitcoin to get them back. A message appeared in red text over a black background on the infected computers, providing a bitcoin address where ransom payments should be sent. Once they paid, the message said, the victims were to send an email to firstname.lastname@example.org. The hackers would then verify their payment and send them a decryption key to unlock their files.
But a few hours after the virus started spreading, German webmail provider Posteo learned that the hackers were using its service and shut down their account. It meant that infected users had no way of contacting the hackers to regain access to their files, and in turn victims had no incentive to pay the ransom. The payments stopped in less than 24 hours, and the hackers had received only $10,000.
It is possible to see the movement of the ransom payments thanks to the public nature of the bitcoin currency: all transfers are recorded on the public block-chain, although the identities of the individuals behind a particular payment address can be near-impossible to discern.
Currently, the block-chain records that the bulk of the ransom money, £7,872 worth of bitcoin, was simply transferred to a second wallet on Tuesday night. However, two smaller payments, of £200 each, went to accounts used by two text-sharing websites, Pastebin and DeepPaste.
Around 10 minutes before the payments were made, someone made posts on both those sites claiming to be able to decrypt hard disks infected with the malware in exchange for a payment of 100 bitcoins.
While the hackers continue to play games, the Ukrainian cybercrime unit is continuing its investigation. On Wednesday, it announced that it had seized ME Doc’s servers after “new activity” was detected there, and said it had acted to “immediately stop the uncontrolled proliferation” of malware, both in Ukraine and other countries.
Cyber unit spokeswoman Yulia Kvitko suggested that ME Doc had sent or was preparing to send a new update and added that swift action had prevented any further damage. “Our experts stopped (it) on time,” she said.
It wasn’t immediately clear how or why hackers might still have access to ME Doc’s servers. The company has not returned messages from reporters, but in several statements took to Facebook to dispute allegations that its poor security helped seed the malware epidemic.