The hackers behind the NotPetya ransomware, which wiped computers in more than 60 countries in late June, have moved more than £8,000 worth of bitcoins out of the account used to receive the ransoms.
The transfer has added credence to messages purporting to be from the attackers offering to decrypt every single infected computer for a one-off payment of £200,000, after security researchers suggested they may be state-sponsored actors.
It is possible to see the movement of the ransom payments thanks to the public nature of the bitcoin currency: all transfers are recorded on the public blockchain, although the real-world identities of the individuals or organisations behind a particular payment address can be near-impossible to discern.
Currently, the blockchain records that the bulk of the ransom money, £7,872 worth of bitcoin, was simply transferred to a second wallet on Tuesday night, but two smaller payments, of £200 each, went to accounts used by two text-sharing websites, Pastebin and DeepPaste.
Around 10 minutes before the payments were made, someone made posts on both those sites claiming to be able to decrypt hard disks infected with the malware in exchange for a payment of 100 bitcoins.
Potential smokescreen
The £200,000 offer has created more uncertainty about the motivations behind the ransomware. While it originally appeared to be created with the intention of earning a lot of money through ransom payments, researchers quickly pointed out that a number of features of the software made it appear that the ransom element was a smokescreen, with the real goal being widespread damage.
Significantly, the majority of infections occurred in Ukraine, due to the main attack vector being a compromised version of an accounting program, ME Doc, used to file taxes in the nation. That has led to many, including the Ukrainian government, suspecting Russian involvement as part of the ongoing cyberwar between the two countries.
Hackers offering to decrypt files for money suggests that the cash motivation may be more significant than thought – but that too could be misdirection.
While the hackers continue to play games, the Ukrainian cybercrime unit is continuing its investigation. On Wednesday, it announced that it had seized ME Doc’s servers after “new activity” was detected there, and said it had acted to “immediately stop the uncontrolled proliferation” of malware.
Cyber police spokeswoman Yulia Kvitko suggested that ME Doc had sent or was preparing to send a new update and added that swift action had prevented any further damage. “Our experts stopped (it) on time,” she said.
It wasn’t immediately clear how or why hackers might still have access to ME Doc’s servers. The company has not returned messages from reporters, but in several statements took to Facebook to dispute allegations that its poor security helped seed the malware epidemic.
Cyber police chief Coonel Serhiy Demydiuk previously said that ME Doc’s owners would be brought to justice, but Kvitko said there had been no arrests.