The attack primarily targeted businesses in these countries while a hospital in Pittsburg, USA was also hit. The victims of the attack include Central Bank, Railways, Ukrtelecom (Ukraine), Rosnett (Russia), WPP (UK) and DLA Piper (USA), among others.
The magnitude of attack on Ukraine was relatively much higher when compared to other countries and this has led a lot of security researchers and experts to believe that the attack might just have been a state-funded attack targeting Ukraine.
Since the Bitcoin account that was accepting payments had only accrued over $10,000 in ransom payments before the email ID was shut down, this has led researchers to believe that the real motive behind the attack was not money but damaging Ukraine.
Ransom Withdrawn; Fresh Note Appears
But whoever is behind the attack seem to have emptied the Bitcoin wallet that was being used to collect payments from those infected by Petya.
Soon after transferring all the funds to a different Bitcoin account, two payments were made to Pastebin and DeepPaste — two websites which let people post text online and are used by hackers to make announcements — and a message was posted by someone claiming to be behind the Petya/NotePetya ransomware attack.
The message read, “Send me 100 Bitcoins and you will get my private key to decrypt any hard disk (except boot disks)”.
The announcement didn’t carry any Bitcoin address where payments can be made, rather a link to a dark web chatroom has been provided where anyone interested can contact them.
However, this move by the hackers has left many security researchers and analysts puzzled. It was largely being believed that the attack was a state-sponsored one as the ransom demand wasn’t a huge sum and the disinterest in collecting the payment made things even more evident.
But even with the hackers allegedly resurfacing and renewing their ransom demands, security experts believe that this is being done to confuse investigators who’re looking for evidence to declare this a state-sponsored attack.
Talking to the Motherboard, security researcher Matt Suiche said,”This is a clear attempt from the attackers to try to further confuse the audience,” and it may as well be the work of “trolling journalists”.