NotPetya authors prove that they can decrypt some files - but analysts think it's a false lead

The hackers took the money, but didn't run

The hackers behind the NotPetya malware appear to have made a fresh ransom demand, shortly after transferring funds from their original Bitcoin wallet. Analysts, however, think that the new demand is meant to lay a false trail.

Most of the companies affected by the ransomware, which include Oreo cookie manufacturer Mondelez International and shipping group Maersk, did not pay the demands. This was partly because the email address used to contact the attackers was shut down by its German operator. However, a significant amount of money was still sent to the hackers in the hope of unlocking blocked machines - a hope that may prove unfounded.

Late on Tuesday this week, the Bitcoin funds that had been sent were moved out of the original wallet in three moves: two small transfers went to the Bitcoin wallets of PasteBin and DeepPaste: these websites are used to paste large chunks of text online, and are often used to share code - or by hackers to make announcements. The third and largest transfer went to a previously-empty address.

Shortly after the transfers, posts appeared on both PasteBin and DeepPaste claiming to be from the authors, asking for 100 Bitcoin (worth more than $250,000) for a key that they said would decrypt any system affected by NotPetya. A Bitcoin address for payments was not provided, but a link to a dark web chatroom, where people could contact them, was.

Motherboard visited the chatroom and interviewed the purported hackers, although could not confirm whether or not they were the original NotPetya authors. Whether they were or not, the person on the other end of the line did decrypt a file as proof of their ability, which does point to access to the original source code.

Security researchers, however, are unconvinced. Anton Cherepanov of ESET and Matt Suiche of Comae both told Motherboard that bugs in the ransomware could prevent the hackers from decrypting files larger than 1MB. Suiche said that he thinks that the authors are simply "trolling" journalists and researchers by trying to confuse the issue.

"This is a clear attempt from the attackers to try to further confuse the audience, by changing the wiper narrative into a ransomware one again," said Suiche.