The group responsible for last week’s globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates.
Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya. More specifically, it proves that whoever left the message has the necessary private key to decrypt individual files infected by the virus. Because the virus deleted certain boot-level files, it’s impossible to entirely recover infected systems, but individual files can still be recovered. The message also included a link to a chat room where the malware authors discussed the offer, although the room has since been deactivated.
It’s unclear whether anyone took the malware authors up on their offer, although so far no bitcoin transactions of that size have been spotted. The authors have also been emptying their original bitcoin wallet, which contained roughly $10,000 in payouts from the first round of Petya infections. Forbes tracked two small donations to PasteBin and DeepPaste before the remaining amount was transferred to an unknown account, presumably bound for a bitcoin laundering service.
It’s unclear why the demand surfaced now, more than a week after the initial infections. Most of the largest companies affected by the attack have resumed operation, limiting the potential customers for the 100-bitcoin payout. In the days since, there’s been significant speculation that the attack was intended to damage Ukrainian infrastructure rather than raise money.