Security Experts:

NotPetya Decryption Key Sale - Genuine or Curveball Charade?

Confusion over the source and motive behind the NotPetya ransomware outbreak was given an extra stir with the offer for sale of a private decryption key. Posts appeared Tuesday on both Pastebin and DeepPaste: "Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks)."

The posts appear to be genuine, and the key proofs have been tested. "It means that whoever posted this message has [the] private key to decrypt the data encrypted by the NotPetya malware," Anton Cherepanov, ESET senior malware researcher, told Forbes.

Catalin Cimpanu at BleepingComputer suggests a different verification. Just before the posts appeared, he points out that two small payments (of around $285 and $300) were made from the ransomware's Bitcoin wallets to wallets associated with the Pastebin and DeepPaste text sharing services. On the reasonable assumption that the payments and the posts are associated, it is further proof that the offer comes from the NotPetya group. "

The announcement made yesterday night is verified by the two Bitcoin payments the group made to the two services where they hosted their statements," Cimpanu wrote.

Shortly after the posts, the entire remaining funds (about $10,000) were moved out of the ransomware wallet in what seems to be the start of the group striving to hide their tracks.

On the surface, this appears to be a logical process. A faulty encryption routine used by the malware made the recovery of files by victims impossible. F-Secure has pointed out that decryption can be achieved with difficulty: "In order to decrypt the files successfully, the files should be enumerated in the exact same order as during encryption, and with the same "bug" in place."

This still requires a decryptor obtained separately by the victims; but the group's webmail provider has shut down their inbox so they can no longer read emails or reply with decryption keys.

With no possibility of collecting more ransoms, the private key is the only asset of value left to the group -- so selling that in a single transaction for a large amount would make sense. This is what you might expect criminals to do.

The confusion comes from a strong body of opinion that suggests the perpetrators are not simple criminals but a state-sponsored group. NotPetya, says this theory, is actually a cyber weapon disguised as ransomware delivered by Russia primarily against the Ukraine as part of the ongoing cyber conflict between the two nations.

"Since the outbreak," explains David Kennerley, director of threat research at Webroot, "many analysts have pointed towards possible state involvement in the ransomware attack, and the ‘mistakes' made by the authors of NotPetya, lent to theories their main intention wasn't primarily monetary gain. And the most likely the aim was to cause as much damage and havoc as possible under the guise of ransomware – with the primary target being Ukrainian entities."

Further indications that the group might not be serious about collecting money comes from Cimpanu. The Pastebin/DeepPaste messages include a link to "a Dark Web portal running Mattermost, an open source, self-hosted Slack-like online chat application." He engaged with the group, but got little response to his queries, and the chat room is now deactivated. Yesterday he tweeted, "NotPetya public chat is down. Charade over."

The bottom-line is that this sale initially looks like the act of a criminal gang, but proves nothing. "We've been told that the hackers, portraying to be the ransomware creators, have successfully decrypted a number of files encrypted by NotPetya – this definitely points towards inside knowledge of the ransomware itself," comments Kennerley. 

"Are they the creators? Are they close to the creators, or has another group independently found a possible weakness in NotPetya's encryption routine and is now attempting to make a quick buck? A number of files have been decrypted, this doesn't mean they have the ability to decrypt all files, but again it adds a twist to the story. At least from a distance, it adds an argument against the theories that this wasn't about the money – or is this a smoking gun to throw investigators of the scent, or even an attempt at good old internet trolling? Whatever it turns out to be - At 100 bitcoins, it's very unlikely anyone will take them up on their offer."

"Unfortunately, this doesn't really clear anything up about the case," comments F-Secure security adviser Andy Patel. "100BTC for the master key that will decrypt all files encrypted by NotPetya isn't really worth it, considering a majority of victims probably have corrupted master file tables, and hence can't even access that data anymore."

So, despite the apparent criminal offer for sale, it is still unclear whether NotPetya is a cyberweapon aimed at the Ukraine or a flawed criminal act. It isn't clear whether the private key sale is genuinely from the perpetrator, or a curveball from a state group.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.