Image: November27/Shutterstock

Hackers Linked to NotPetya Ransomware Decrypted a File for Us

The hackers successfully decrypted a file provided by Motherboard, but that does not necessarily mean victims will be able to get their files back.

|
Jul 5 2017, 8:28pm

Image: November27/Shutterstock

Hackers linked to the crippling NotPetya ransomware attack, which encrypts files on infected machines, have proved to Motherboard they have the ability to decrypt some locked files.

Security researchers have spent much of the last week debating whether victims of NotPetya will ever get their files back, with many arguing that the malware was designed to cause disruption rather than generate funds.

After resurfacing online on Wednesday, hackers connected to the NotPetya ransomware are now offering to release a key they say would unlock all files affected by the malware for 100 bitcoins (worth roughly $250,000). The hackers didn't publicly specify where to send the money, but told Motherboard that victims could pay to a new bitcoin wallet unaffiliated with the one that individual users have been paying ransom to until this week.

The successful decryption of a test file makes the NotPetya case even more puzzling. If the hackers didn't really want to return files in the first place, why resurface? Either way, since the ransomware appears to damage disks for some victims, even if the hackers provide a decryption key, some victims may not be able to save their files anyway.

Read more: The World's First Ransomware Came on a Floppy Disk in 1989

Motherboard reached out to the hackers on a dark web Slack-like chatroom they set up and announced on Pastebin and DeepPaste, a dark web Pastebin copycat.

The hackers offered to decrypt one file for free to prove they were legitimate. So we asked Anton Cherepanov, a researcher from cybersecurity company ESET, to send us a file encrypted with NotPetya. Cherepanov said he ran the malware on a virtual machine and sent us two files: a normal Word document containing information about Microsoft software, and the same file encrypted with NotPetya. The version of the file encrypted with NotPetya contained gibberish when opened in a word processor.

A comparison of the encrypted file on the left, and the successfully decrypted version on the right.

Around two hours after we provided the hackers with the encrypted file, they sent us the decrypted file, which matched the original, clean Word document. This suggests the hackers do indeed have a key capable of unlocking files infected with NotPetya. Motherboard also sent the hacker another file from another researcher to decrypt, but by this point the hacker had become unresponsive.

A portion of a private chat between Motherboard and the hackers.

Separately from this test, Cherepanov and a security researcher known as MalwareTech, both of whom have analyzed NotPetya, said that the hackers in the chatroom proved that they have access to NotPetya code. The hackers used the NotPetya private encryption key to sign the announcement they published on Pastebin and DeepPaste on Tuesday.

"They have key, so must be same people," Cherepanov told Motherboard in an online chat.

Last week, NotPetya spread across the world, distributed by malicious updates from a piece of accounting software called MEDoc. The attack impacted companies in the US, UK, and across Europe. Ports were closed; supermarkets rendered useless; and businesses forced to resort to pen and paper.

Some researchers have suggested that unlike other types of ransomware, which are used to extort money, NotPetya's purpose was to simply sow chaos by encrypting files and giving victims no method for unlocking them. Essentially, they see NotPetya as a wiper, not a ransomware.

Researchers at Kaspersky Lab wrote that the hackers cannot decrypt victims' files even if the victim paid. Matt Suiche from cybersecurity firm Comae Technologies said that in some cases, the malware does permanent and irreversible damage to the disk. The NotPetya campaign also has a notably sloppy payment mechanism: Victims are supposed to email the hackers with a unique code after sending the ransom fee, but the email provider shut down the hackers' account soon after NotPetya made headlines around the world.

"They have key, so must be same people."

That the hackers can decrypt at least some files complicates the theory that this attack was not conducted for financial reasons.

"If it wasn't about the money as people claim, why come back and prove you're in possession of the key and ask money for it?" MalwareTech told Motherboard. "Crazy days I guess."

To be clear, the hackers only decrypted one small file for Motherboard. The capability to decrypt a single file shows the hackers are connected to the NotPetya attack, but that does not necessarily mean they will be able to decrypt files en masse.

Not all security researchers who have analyzed the malware have said file decryption was impossible. F-Secure previously said that it might be possible, but with several serious caveats: that no files were added, moved, or deleted between encryption and decryption; the malware's other components haven't managed to destroy the disk's MFT, or master file table (a database which stores information about all files on a disk); and that encryption was only performed once.

Suiche told Motherboard that he thinks the hackers are just "trolling," trying to confuse researchers and journalists. Moreover, it's possible that some files could not be decrypted, and victims might not be able to provide hackers with a unique fingerprint that the ransomware creates for each victim if the MFT is encrypted, he added. The unique fingerprint is contained in a readme.txt file which the hackers requires to identify the victims.

"They already fucked people even if they release the private key."

Both Cherepanov and Suiche said that there are bugs in the ransomware that might prevent hackers from decrypting files larger than 1MB. (The file we sent the hackers was around 200KB.) Motherboard sent the hackers an additional file, but by that time the hackers had become unresponsive. Multiple other journalists noted on Twitter that the hackers did not respond to their questions.

"They already fucked people even if they release the private key," Suiche told Motherboard. "They already put people in a situation where they can't recover their files and data even if the private key is released."

In a private conversation with Motherboard, the hackers claimed several people had shown interest in providing the full 100 bitcoins to release the key. They also said that the fee was non-negotiable.

"Now real offers only," the hackers wrote in the dark web chat room on Wednesday morning.

By the afternoon, the hackers said they'd shut the chatroom down until the next day.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.