Anonymous hackers have put out an announcement that they have a decryption key that can save any computer hit by Petya or NotPetya, and they want 100 bitcoin for it, or approximately $250,000. Logically, such a key could only belong to the original authors of the malware unless it was leaked, but the party that posted the announcement online did not make any clarifications as to who they are. The announcement was posted on Pastebin and on the TOR-only DeepPaste. Just after posting the announcement, somebody moved around $10,000 out of the bitcoin wallet associated with Petya, lending a bit of credence to the notion that the party that posted the announcement may have been responsible for the original malware. At the same time, payments were made to DeepPaste and PasteBin where the announcements are hosted. The GoldenEye malware that’s based on Petya was not mentioned in the demand.
The posters of the announcement left a link that any interested party could use to contact them, and when contacted, claimed that they could decrypt any Petya-stricken file that they were given. Somebody investigating the ongoing Petya malware saga reportedly gave them such a file, but did not receive a decrypted file in return, and has not heard back as of this writing. While the people behind the announcement could very well be the original malware creators, they could just as easily be a fraud, and simply out to make some cash off the state of affairs, or cause confusion. Until there is proof that their decryption code works for all Petya infection cases, not much more can be said with any certainty.
Petya and its derivatives hit Ukraine last week and spread out quickly from there. It didn’t take this new malware family long to wreak havoc on Ukraine and knock down prominent targets elsewhere. If this sounds similar to the WannaCry ransomware outbreak from back in May, that’s because it is; the two both use the same EternalBlue exploit. Created by the U.S. National Security Administration (NSA), EternalBlue leaked and was quickly patched up, but it can still hit some systems running older software, though most modern Windows, Linux, and Mac desktops are safe. With Petya, however, a second exploit comes into play, which allows the malware to spread across a network once it infects one device. The exploit used for in-network spreading can hit almost any machine running Windows, Mac, Linux, or theoretically even Chrome OS through its Linux roots.