back to article Ker-ching! NotPetya hackers cash out, demand 100 BTC for master decrypt key

All the Bitcoins paid by victims of the NotPetya ransomware attack were withdrawn overnight. Some paid the equivalent of $300 in Bitcoin even though there were no real means to recover their data. Just over 3.96 Bitcoins ($10,382) were drained from a wallet tied to NotPetya early on Wednesday morning, according to a Twitter …

  1. Anonymous Coward
    Anonymous Coward

    And...

    Maersk use IBM outsourcing

    WPP use IBM outsourcing

    Reckitt Benckiser use IBM outsourcing

    FedEx use IBM outsourcing (it's less clear how much goes where from the announcements I can find)

    1. Anonymous Blowhard

      Re: And...

      I think you're overlooking the obvious point that all these companies have offices in the Ukraine; seems more likely that shared drives is how the malware spread to the rest of the business.

      1. Anonymous Coward
        Anonymous Coward

        Re: And...

        Given the spread of the outbreaks and how core servers were infected in addition to workstations and file shares, patching for known issues and ensuring AV infrastructure formed a part of the issue (i.e. the NSA patches) beyond the initial infection.

        While offices in the Ukraine may have introduced the issue, what controls were in-place to prevent some organisations controlling the disruption and others struggling to function one week later?

    2. FuzzyWuzzys Silver badge
      Facepalm

      Re: And...

      It certainly points a clear lesson that IBM are bloody useless at looking after their paying customer's security needs!

      IBM, one more once-great company now just another outsourcing, money-making machine.

      1. Jonathan 27 Bronze badge

        Re: And...

        I don't remember IBM being a great company, how long ago was that?

        1. Rich 11 Silver badge

          Re: And...

          Before about 1990. Which may have been the time they stopped making typewriters.

        2. tfb Silver badge

          Re: And...

          Well, the IBM 360 has a good claim to have been the most influential processor architecture there has been I think (not because it was a mainframe but because it got so many things so right, so long ago). So, they were a great company in 1964, at least.

    3. Fan of Mr. Obvious

      Re: And...

      I get the IBM pile on, but I think the larger issue may be that companies bring in third parties expecting the unreasonable, which is that "we are paying to be secure." IBM is likely doing its part to keep things reasonable secure while still allowing business users to get their jobs done. However, if the users are not trained AND willing to participate, this kind of thing is going to happen regardless.

      1. Anonymous Coward
        Anonymous Coward

        Re: And...

        "IBM is likely doing its part to keep things reasonable secure"

        I'm guessing you haven't worked with IBM outsourcing where the handover will be to a project manager who will then pass things onto a technical expert when they are available/hired. In the meantime, status reports are easy to fake.

        "However, if the users are not trained AND willing to participate, this kind of thing is going to happen regardless."

        I agree - but these companies seem to be coping even worse than the NHS did with WannaCry, inspite of the NHS's well known challenges around older OS's.

    4. Anonymous Coward
      Anonymous Coward

      Re: And...

      FexEx (or rather the TNT arm, as that was actually that part that got hit) outsource to DXC Technology for the Wintel side of things. No IBM involvement AFAIK.

  2. David Lawrence

    Can't anything be done??

    I work in IT but am ignorant about the way Bitcoin works, so this may be a ridiculous suggestion. Surely if it is possible to trace a Bitcoin account/wallet thingy that is being used for purposes such as this, it should be possible to freeze it/block it/re-possess it as well? Come on chaps, this is the 21st Century and all we can do is sit watch the crims withdraw their ill-gotten gains?

    Surely something can be done, even if it takes a while and requires new laws to be passed. We've got to stop them demonstrating that this is a successful business model.

    1. FuzzyWuzzys Silver badge

      Re: Can't anything be done??

      I thought that was the point of BitCoin, it's "stateless" and hence why so many online criminals use it as funds cannot easily be traced.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't anything be done??

        (not an expert, don't even have a bit coin wallet)

        My understanding is that the advantage for the legally challenged is that they don't require an account with a 3rd party organisation (e.g. bank) to collect store and spend money. Financial organisations have tightened down on money laundering in a huge way.

        I imagine the job of law enforcement folks is to find evidence tying a bitcoin wallet to a group or individual.

        The disadvantage bitcoins have over cash is the entire history of every bitcoin is available in the blockchain. It may or may not be possible to use this to link wallet to owner.

        So if the FakeCry wallet owner spent some of their coins directly at Amazon, having a nice new Ferrari delivered to their home address, then they would be easily identified and brought to justice. I guess most bitcoin users engaged in illegal activities would launder their money more effectively.

    2. Lee D Silver badge

      Re: Can't anything be done??

      Bitcoins are just a numbered account.

      And most bitcoin accepters won't know to block that particular account.

      And the holder of that account can generate effectively infinitely many new accounts, break the funds up, redistribute them, and pay from those other accounts in seconds. Although technically traceable to an extent, they would have already received their goods/services by the time anyone can correlate them properly, and the more they break them up, the harder it becomes.

      Bitcoins can literally be broken into billions of pieces. And who knows whether someone who receives or acts as an intermediary for any of those pieces are an innocent party (e.g. been paid in Bitcoin and know nothing about the origin of the funds), related to the scam, or the scammer themselves? It could be the scammers setting up a billion laundering accounts, but each one is indistinguishable from an account that someone else has had for years but never used and who happened to get a donation on their website (e.g. I have a button on my website to donate Bitcoin to me in such a fashion, people use it to donate to me for running a gameserver).

      And though Bitcoin is "traceable", it's far from easy, and only gives you and enpdoint (i.e. someone paid the ransom into the ransom account, which was ultimately spent in these several billions different pieces at any number of end-points which are places like shops, service accounts, Internet hosts, pastebin, etc.

      Even ordinary stores are starting to take Bitcoin now, and vending machines, and places like the Humble Bundles. Though you can say the ultimate destination, and know the path it took, why it took that path and whether that was money laundering or innocent transactions in the interim is impossible to determine.

      These guys spent it all without breaking it up much. But that still doesn't help. Sure, pastebin would probably know the associated account and may terminate now that it's in the news, but they aren't obliged to check EVERY origin of EVERY payment they ever receive for EVERY type of currency.

      1. Jonathan 27 Bronze badge

        Re: Can't anything be done??

        You're right, but you missed laundering through exchanges. You can take your bitcoin and trade it for Ethereum, Litecoin or whatever, trade that to another exchange and keep going through a few cycles. It becomes near impossible to trace, especially because most exchanges aren't willing to reveal their records. And there are plenty or exchanges located in uncooperative or highly privacy-law gated countries.

    3. Dan 10

      Re: Can't anything be done??

      I suspect I'm not much more knowledgeable about this than yourself (also no account), but my understanding is that there is no entity who can stop the transaction or freeze funds. Bitcoin is based on the blockchain, which, IIRC, is simply a distributed ledger. So instead of a bank keeping a record of accounts, transactions and balances, there are multiple peer ledgers around the world, each keeping a partial record of transactions that take place on the blockchain, but with no 'owner' or manager of the ledger. (Think of the internet itself, and of how you smile knowingly when someone hysterically demands for the internet 'to be switched off"!) The whole point of the blockchain is that because each transaction is verified against multiple copies of the ledger, and every copy needs to agree with the numbers, there is theoretically no way to stop or undermine it. The fact that the blockchain cannot therefore be defrauded is the irony in this criminal use of the technology.

      I *think* all transactions themselves are publicly visible (hence the bot watching the account for the cash withdrawal), but the accounts are numbered - no names, proof of ID or any of that, so even if you can see the funds, you can't attribute them. The trick is how you would follow the laundering process to turn the those bitcoins into 'clean' money that can be spent legally. Given, though, that money laundering is a skill set in itself, pursuing that is a whole other story.

  3. Anonymous South African Coward Silver badge

    Another outbreak coming soon, most probably...

    Batten down the hatches, make sure you have offline backups etc etc.

  4. Prst. V.Jeltz Silver badge

    initial attack vector

    "A poisoned update to a Ukrainian tax software program"

    Well how did it get there?

    1. 404 Silver badge

      Re: initial attack vector

      The Russians, of course, duh...*

      * Boogeyman to everybody but the Russians...

    2. Bluto Nash

      Re: initial attack vector

      "Well how did it get there?"

      Letting the days go by?

    3. phuzz Silver badge

      Re: initial attack vector

      It doesn't really answer your question of how it got there, but this article is a good run down of what the attackers did once they had remote access.

      I'm wondering, how is it that there's only one piece of tax software that the government accept? Surely as long as your tax returns are in the correct format, it doesn't matter what software was used to create them/

      1. katrinab Silver badge

        Re: initial attack vector

        Microsoft Dynamics seems to be the only other option. They sit somewhere between the likes of Sage and SAP in terms of market positioning. Large companies that are too complex for Dynamics will use something like SAP to get the numbers and put them in MeDoc to file the return. Small companies will likely use MeDoc for everything.

    4. Hckr

      Re: initial attack vector

      Probably stupid developer had sharing open to the internet. They payload got in, reported back an interesting victim, downloaded other modules and the hackers infected the update.

  5. Pirate Dave
    Pirate

    ya gotta think

    the more "legit" cryptoware scammers are gonna get pretty pissed that these n00bs are pissing in the well by not following up and decrypting the data as promised. If folks start getting the idea that their data probably won't be recoverable even if they pay the ransom, they are going to be less likely to pay, which ruins the pot for the guys who DO release the decryption keys after payment.

    So maybe this will turn into a Spy-vs-Spy kind of thing amongst the scammers and they'll focus on wiping out each other instead of fucking with innocent people's shit.

  6. DougS Silver badge

    $10,000 for all that trouble

    That's like burning down a whole skyscraper to collect insurance on a single item in one office. And next time the take will be even lower, because it became known that no one got their files unlocked from NotPetya, so why would anyone bother paying up next time?

    1. John Brown (no body) Silver badge

      Re: $10,000 for all that trouble

      "so why would anyone bother paying up next time?"

      I guess it depends on the rate of return. Spam is still a thing.

      1. DougS Silver badge

        Re: $10,000 for all that trouble

        Spam takes a minute or two to send out once you have the infrastructure built up, or rent someone else's. There's almost no time investment, and if you have your own botnet, no money invested.

        Ransomware is a different thing. How many man hours did it to take to turn Petya into NotPetya, including testing? There's enough return there for a casual criminal in a third world country, but not organized crime. I suspect they're about done with ransomware, and the programming required is beyond most casual criminals - if they had that skill level they'd be hired guns on a darknet working for organized crime...

  7. Hargrove

    This was just a test , , ,

    had this been a serious hack, the retirement account you worked forty years to accumulate would have gone missing.

    Actually, I'm fairly confident that financial institutions have multiple off line back-ups and procedures to ensure that they are never connected to the outside world. So your funds might only be temporarily missing. I'm still concerned about the economic and social impact that would result from a major financial institution being taken down temporarily the way British Airways not long ago.

    Security through obscurity would be all well and good, if it weren't for the fine print in those one-sided service agreements we're all forced to accept stating that, not withstanding any gilt-edged guarantees elsewhere, you, the customer, are responsible for security, including maintaining local off-line backups to secure your own data.

    Several days ago I had occasion to visit a community help blog. In the process I noticed something that was both gratifying and disturbing. It's one thing for an old retired fossil like meself to complain that the technology is fundamentally broken and not working properly. It's another thing when the youngsters who still have to make their living using it start having similar reactions.

    One fellow summarized it eloquently. "We need context. We can see what the system is doing, but we don't have any visibility of how it's doing it." Gratifying to find that it's not just creeping senility and that I'm not alone. Disturbing to reflect on the implications for information security.

    Regarding which, every time another successful hack is reported it reminds me of the classic Monty Python "Cheese Shop" bit. "You've got no bloody cheese at all, then 'ave you?!!!"

    For what it's worth.

    1. tfb Silver badge

      Re: This was just a test , , ,

      If a big financial institution goes away for any length of time the results are likely to be a zombie-apocalypse level catastrophe: all the other institutions expire, the ATMs stop working, looting for food, &c. That's why the banks got bailed out in 2008: 'let them fail' was not a serious option, no matter how appealing it was,

      I think it's fairly likely that a big financial institution will suffer some catastrophic failure in the next ten years.

      1. J. Cook Silver badge

        Re: This was just a test , , ,

        Uh, not quite that bad. Maybe. Great Depression level? Most certainly.

  8. Arachnoid

    "so why would anyone bother paying up next time?"

    If you were oh......say a large western intellegence company and you wanted to poison the ransom well and thus deter others asking for money what better action could one take.........

  9. Hckr

    If I would be the sysadmin for a big company, I would have recovered in one day.

    That all "virus virus, hackers hackers" crying is just a shithead detector.

    All those "affected" companies are a piles of shit with retards for sysadmins.

    I salute those NotPetya developers! They did a good job, exposing scammers and cheaters.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019