Last week, the hacking group behind the NotPetya surfaced online and posted a new ransom request for 100 Bitcoin to release the private key that decrypts all the files affected by the malware. Security researchers, on the other hand, think they might have found another method.
The announcement was published after the hackers emptied their Bitcoin wallet, which had collected more than $10,000 up until that point. The new sum asked by the cyber criminals is equivalent to more than $250,000.
Cyber security experts are confused by the apparently friendly approach of the hackers, who had previously been deemed responsible for a data wiping attack and not a ransomware scheme.
An error in an encryption algorithm might be the key
If companies and organizations are not willing to pay up to get back their files, Positive Technologies might have a different solution. Specialists from the firm said the hackers made a mistake writing the encryption algorithm Salsa 20, and that exploiting that flaw could restore files in some disks.
Dmitry Sklyarov, Head of Reverse Engineering at the firm, told the BBC that his team did not expect to find a potential solution to the global problem when delving deep into the code of NotPetya.
He said that this recovery method relies heavily on applied heuristics and that such techniques are not within the grasp of common users. It might take several hours to recover files and, as warned by other researchers before, those files might not be complete upon recovery.
Positive Technologies noted that the size of the disk, its fragmentation, and how much free space is left are elements that play a role in data recovery. The firm stated that files like operating systems and popular applications have a higher chance of full restoration than a single file like documents and such.
Hackers are trying to spin back the ransomware narrative
As several cyber security firms have pointed up until last week, the poor methods through which the supposed ransomware attack was conducted showed that the true intentions of NotPetya were to destroy data and nothing more.
However, hackers resurfacing with demands for more money and a new Bitcoin wallet have confused some members of the expert community. Matt Suiche, head of Comae Technologies, insists that the group is only “trolling journalists” with their latest appearance.
The cyber criminals were able to prove that they have the private key to restore files after a Motherboard journalists advised by ESET Security sent them a file for them to decrypt. He got back the decrypted file a couple of hours later through a deep web chatroom.
Nevertheless, Suiche and others insist that even that is not enough proof since recovery solutions have been tested on files larger than 1 MB and failed. The document they sent was only 200 KB, for which it may be possible that other kinds of data cannot be restored.
Experts suggest that even if they released the key, the situation has been framed for them in a way that they are simply unable to recover their data. Upon request to decrypt other files by other journalists, the hackers did not respond.