Petya ransomware authors demand $250,000 in first public statement since the attack

Illustration by Alex Castro / The Verge

The group responsible for last week’s globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates.

Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya. More specifically, it proves that whoever left the message has the necessary private key to decrypt individual files infected by the virus. Because the virus deleted certain boot-level files, it’s impossible to entirely recover infected systems, but individual files can still be recovered. The message also included a link to a chat room where the malware authors discussed the offer, although the room has since been deactivated.

It’s unclear whether anyone took the malware authors up on their offer, although so far no bitcoin transactions of that size have been spotted. The authors have also been emptying their original bitcoin wallet, which contained roughly $10,000 in payouts from the first round of Petya infections. Forbes tracked two small donations to PasteBin and DeepPaste before the remaining amount was transferred to an unknown account, presumably bound for a bitcoin laundering service.

It’s unclear why the demand surfaced now, more than a week after the initial infections. Most of the largest companies affected by the attack have resumed operation, limiting the potential customers for the 100-bitcoin payout. In the days since, there’s been significant speculation that the attack was intended to damage Ukrainian infrastructure rather than raise money.

Comments

Sounds like a feint to try and draw attention away from their "state-sponsor". Make it look more like a ransomware attack after all.

Inb4 state-sponsored astro-turfers

They only show up when a certain R word is mentioned.

Clearly this was a cyberattack against Ukraine, with various ancillary attacks to try to make it look otherwise. Wonder who has the motive and means to do this…

Explain why clearly it was a cyberattack against Ukraine.

Gladly, my comrade. Aside from the fact that Ukraine was hit the hardest for unknown reasons (wink wink), the amateurish payment scheme that they these hackers set up is completely at odds with the sophisticated attack that they executed. So clearly the payment demand was a smokescreen.

my comrade

chuckles

That isn’t as clear as you think. You say the payment is a smokescreen. But the same way we can suggest that Ukraine was a smokescreen. The companies affected by Petya outside Ukraine are no small shit: oil, construction, advertising companies in different countries.
Blame whomever you want. But the attack apparently started in Ukraine with updates to Ukrainian software.
Want to blame Russia because they are at odds with Ukraine? Go ahead.
But everything can be a smokescreen if that’s your theory.

It was targeted against Ukraine and then it spread. I’d have to believe Ukraine is the target.

View All Comments
Back to top ↑