Motherboard reached out to the hackers on a dark web Slack-like chatroom they set up and announced on Pastebin and DeepPaste, a dark web Pastebin copycat.The hackers offered to decrypt one file for free to prove they were legitimate. So we asked Anton Cherepanov, a researcher from cybersecurity company ESET, to send us a file encrypted with NotPetya. Cherepanov said he ran the malware on a virtual machine and sent us two files: a normal Word document containing information about Microsoft software, and the same file encrypted with NotPetya. The version of the file encrypted with NotPetya contained gibberish when opened in a word processor.
That the hackers can decrypt at least some files complicates the theory that this attack was not conducted for financial reasons."If it wasn't about the money as people claim, why come back and prove you're in possession of the key and ask money for it?" MalwareTech told Motherboard. "Crazy days I guess."To be clear, the hackers only decrypted one small file for Motherboard. The capability to decrypt a single file shows the hackers are connected to the NotPetya attack, but that does not necessarily mean they will be able to decrypt files en masse.Not all security researchers who have analyzed the malware have said file decryption was impossible. F-Secure previously said that it might be possible, but with several serious caveats: that no files were added, moved, or deleted between encryption and decryption; the malware's other components haven't managed to destroy the disk's MFT, or master file table (a database which stores information about all files on a disk); and that encryption was only performed once.Suiche told Motherboard that he thinks the hackers are just "trolling," trying to confuse researchers and journalists. Moreover, it's possible that some files could not be decrypted, and victims might not be able to provide hackers with a unique fingerprint that the ransomware creates for each victim if the MFT is encrypted, he added. The unique fingerprint is contained in a readme.txt file which the hackers requires to identify the victims.
"They have key, so must be same people."
Both Cherepanov and Suiche said that there are bugs in the ransomware that might prevent hackers from decrypting files larger than 1MB. (The file we sent the hackers was around 200KB.) Motherboard sent the hackers an additional file, but by that time the hackers had become unresponsive. Multiple other journalists noted on Twitter that the hackers did not respond to their questions."They already fucked people even if they release the private key," Suiche told Motherboard. "They already put people in a situation where they can't recover their files and data even if the private key is released."In a private conversation with Motherboard, the hackers claimed several people had shown interest in providing the full 100 bitcoins to release the key. They also said that the fee was non-negotiable."Now real offers only," the hackers wrote in the dark web chat room on Wednesday morning.By the afternoon, the hackers said they'd shut the chatroom down until the next day.Get six of our favorite Motherboard stories every day by signing up for our newsletter.
"They already fucked people even if they release the private key."