NotPetya Bitcoin address

The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago.

The first to spot movement from the group was a Twitter bot that was designed to tweet out transactions associated with the Bitcoin wallet used by the NotPetya ransomware (1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX).

NotPety group starts moving Bitcoin

Around 21:30 UTC, the NotPetya group sent two payments — of around $285 and $300 — to the Bitcoin wallets associated with the PasteBin and DeepPaste text sharing services.

Half an hour later, the group moved the remainder of their Bitcoin funds to a new account, located at 1Ftixp78FjTWFi3ssJjBw5NqKf5ZPQjXBb. The transferred sum was 3.96298755, which amounts to over $10,000, the total sum made by the group from their operation last week.

NotPetya Bitcoin wallet transactions

The group's Bitcoin wallet stopped receiving NotPetya ransom payments on June 28, a day after the outbreak, and after it became clear the NotPetya ransomware used faulty encryption that made recovery impossible for victims.

Furthermore, security experts also started telling victims to stop paying NotPetya ransoms after the webmail provider where the group was receiving payment confirmations had shut down their inbox, preventing the NotPetya authors from reading emails or replying back with decryption codes.

After the recent movement of Bitcoin funds, many experts now believe the group is ready to take the funds they made and use a Bitcoin mixing service (called tumbler) to hide their tracks and send the money to new wallets via tens of thousands of micro-transactions.

Group asks 100 Bitcoin for NotPetya decryption key

At the same time when the group was making these financial transactions, they also appear to have posted two messages online, on PasteBin and DeepPost.

Both messages featured the same text, reading: "Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks)."

NotPetya message on DeepPost

The message also contained a link to a Dark Web portal running Mattermost, an open source, self-hosted Slack-like online chat application.

Group supposedly selling access to user-mode decryption key

Bleeping Computer reached out to the chat channel's admin, a user named "petya," supposedly representing the group.

Based on the very short answers we got to only a few of the many questions we asked, the group is selling access to the private key of the user-mode encryption module only. This detail is important.

NotPetya works by first encrypting files on the user's hard drive (the user-mode encrypter module), then encrypting the hard drive's MFT table, and then rewriting the MBR with a custom bootloader. When the user reboots his computer, he's stuck in the custom bootloader that shows a CLI-like ransom note.

Researchers have already proven that NotPetya bungles the MFT encryption process, but even if they repair their hard drives MFT and MBR sectors, they still have encrypted files on disk.

The "petya" user has told Bleeping Computer they are selling the private key that will decrypt the files encrypted via the user-mode component only. Below are the file types targeted by NotPetya on the user's hard drive.

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

Group willing to provide tests

In addition, according to the supposed NotPetya representative to whom Bleeping Computer spoke, they are willing to provide a demo of the private key to anyone interested in buying the product.

Because of multiple requests to perform demos, the group performed one single test, successfully decrypting a file provided by Motherboard and an ESET security researcher, and sharing the results in the public chat.

The "petya" user also says they already received offers for the private key, albeit it is unclear from who.

The group declined to answer questions from Bleeping Computer regarding other previous ransomware campaigns they might have orchestrated, why did they choose to disguise their ransomware as Petya, or on the reasons they moved their Bitcoin funds last night.

During the NotPetya ransomware outbreak that took place last week, a website appeared on the Dark Web that offered to collect and verify payments for NotPetya infections.

The website appeared just after the email provider had taken down the NotPetya group's email inbox and victims had no method of contacting the ransomware's authors to verify payments and receive a decryption key.

That website was deemed a scam after it asked victims to make payments to a new Bitcoin address, instead of the original NotPetya wallet.

The announcement made yesterday night is verified by the two Bitcoin payments the group made to the two services where they hosted their statements. Nonetheless, even if the message is from NotPetya's real authors, it is hard to imagine that someone would fork over 100 Bitcoin, or almost a quarter of a million dollars, for the NotPetya private key.

Fake NotPetya payment site
Fake NotPetya payment site

Article updated with information on the results of the NotPetya group's decryption demo.