Bitcoin-Demanding Ransomware Petya Asks $250,000 For Decryption Keys

Bitcoin-Demanding Ransomware Petya Asks $250,000 For Decryption Keys

​Sophisticated bitcoin-demanding ransomware Petya, which launched a successful large-scale global attack earlier in June, has started to take a different approach to extort ransom in bitcoin from victims.

Instead of providing unique decryption keys for $300 individual bitcoin ransom payments, the hacking group behind Petya revealed it is offering a unified decryption key which can decrypt any files encrypted or infected by the Petya ransomware.

Petya’s announcement on the Tor-based platform DeepPaste first discovered by Motherboard read:

“Send me 100 bitcoins and you will get my private key to decrypt any harddisk (except boot disks). See the attached file signed with the key.”

Analysts explained that the file attached by the developers of Petya which was signed with Petya’s private key proves that the message is legitimate and is from the developers behind Petya. More importantly, analysts noted that the attachment of Petya’s private key provided strong evidence that whoever made the announcement on DeepPaste has the unified decryption key that can be utilized to recover any ransomware-infected files.

On June 27, Petya launched its global ransomware attack, encrypting and infecting devices concentrated in Europe. Sources including Business Insider revealed that the Petya ransomware attack affected the Ukrainian government, major oil companies, banks and large-scale conglomerates.

A photograph of a device infected by the Petya ransomware showed that Petya was demanding a single payment of $300 to receive decryption keys and to recover their files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. We guarantee that you can recover all your files safely and easily, all you need to do is submit the payment and purchase the decryption key. Send $300 worth of bitcoin to the following address,” read the message from Petya.

However, victims that paid the $300 payment to recover their files weren’t provided with the decryption key because the email service provider of the Petya developers already suspended and terminated the email addresses associated with the Petya ransomware.

Email service provider Posteo announced:
“Our legal team checked this immediately - and the mailbox was immediately blocked. We do not tolerate any misuse of our platform: The immediate termination of abused mailboxes is a usual procedure of providers in such cases. At the time of the blocking, there was no reporting on the ransomware.”

Posteo’s immediate response to the Petya ransomware attack made it virtually impossible for victims to receive their decryption keys because the developers behind Petya could no longer confirm who sent the $300 bitcoin payment. More importantly, Posteo’s termination of Petya’s email addresses led to the discontinuation of the Petya ransomware attack, as the hacking group could not monetize its attacks.

In essence, Petya’s $250,000 offer for a unified decryption key is an ultimatum. The developers behind Petya is willing to end its ransomware attack and terminate its operations with a single payment of $250,000 made in bitcoin.