Petya Group Bitcoins on the Move, New Message Posted

Petya Group Bitcoins on the Move, New Message Posted

The hacking group behind Petya/NotPetya/ExPetr withdrew all bitcoins from the bitcoin wallet associated with the ransomware on Tuesday, July 4th, moving the money to a new bitcoin wallet. The already confusing story of the Petya attacks gets even stranger. 

Security researcher Kevin Beaumont, aka @GossiTheDog, reported via a Twitter post that the group withdrew the over $10,000 in profits raised from the ransoms paid by Petya victims. The bitcoins from the wallet were used to pay for a PasteBin Pro and DeepPaste accounts on TOR. A user called PetyaA. Used the DeepPaste and PasteBin Pro accounts to post what appears to be a new form of  ransom note.

Pastebins are websites that allow for posting of plaintext, and is often been used to post code snippets for online code review. In the past, pastebin sites have been used to leak stolen code or allow hacker groups to post announcements or messages claiming responsibility for attacks.

Source: https://twitter.com/GossiTheDog/status/882374869664624641

The DeepPaste posting, purportedly by the Petya authors, is titled #Petya.A #NotPetya.

Posted by PetyaA. On July 4, 2017 – 9:23 pm UTC

“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks) See the attached file signed with the key” The message includes links and contact info.

Motherboard, an online tech and science news site associated with Vice Media, has conducted interviews with hackers in the past. This week, Motherboard says that hackers claiming to be behind the Petya/NotPetya attacks successfully decrypted a file encrypted by NotPetya as a demonstration that decryption was possible. Several leading cybersecurity researchers, upon looking at the NotPetya code, declared that file decryption would be impossible. This assessment appears to be, at least in some situations, incorrect.

The twitter account petya_payments is now tracking changes to the new bitcoin wallet, which now has $10, 225.30 as of 6pm 7/6/17 HST. 100 bitcoins is equal to $250,117.00. Members of the public may believe that a decryption key may be publically released if the funds in the bitcoind wallet reach 100 BTC.

This story is developing.

Sources:

Kevin Beaumont/ @GossiTheDog, Twitter post, Petya people send BitCoin to DeepPaste in Tor and appear to have posted this.

Twitter, @petya_payments, https://twitter.com/petya_payments

SC Media,  NotPetya bitcoin wallet emptied, posts 100 bitcoin fee for decryption key

Motherboard, Hackers Connected to NotPetya Ransomware Surface Online, Empty Bitcoin Wallet

Bleeping Computer, NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web