A few hours ago the Bitcoin wallets associated with the NotPetya/ExPetr ransomware attack started to empty.
The person/persons in control of the wallet made one transfer of 0.13 Bitcoin (~R4 489) and another of 0.1214 Bitcoin (~R4 192) before making a larger transfer of 3.96983955 Bitcoin (~R137 097).
— petya_payments (@petya_payments) July 4, 2017
The first two payments are to Bitcoin wallets associated with PasteBin and DeepPaste according to a report by Bleeping Computer. The third transfer is to a new Bitcoin wallet – likely one set up by the person/persons behind NotPetya/ExPetr.
The fact that money has started moving is interesting. Wallets tied to WannaCry are still filling up, and as of time of writing no transfers out of the wallets have been made.
Status of WannaCry wallets:
51.98076422 BTC ($134,859.54)
337 payments, 0 withdraws
2017-06-28 at 05:50 AM ET
— actual ransom (@actual_ransom) July 5, 2017
It’s also worth keeping in mind that after analysis, researchers discovered that even if folks were to pay up it’s unlikely all their files would be decrypted.
The popular theory is that the actors are getting ready to put the Bitcoin through a tumbler which can be used to “clean” Bitcoin and confuse anybody following the money.
A demand for a key
Shortly after the NotPetya/ExPetr wallet was emptied, a message appeared on the dark web as well as PasteBin which reads:
Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks)
It’s not clear whether this offer is legitimate, but Bleeping Computer spoke to the admin of a chat hosted on the dark web page where the message was posted, and found out the following:
“According to the supposed NotPetya representative to whom Bleeping Computer spoke, they are willing to provide a demo of the private key to anyone interested in buying the product,” the publication said.
It seems then, that the best bet if you’ve been hit by NotPetya/ExPetr is to wait to see if a security firm can create a decryption tool. We definitely wouldn’t advise paying the 100 Bitcoin – R3.4 million – ransom.
[Via – Bleeping Computer] [Image – CC BY SA 2.0 401(K) 2012]