Petya hackers issue fresh ransom demand
July 6, 2017 12:17 pm
The perpetrators of a recent cyber-attack that disrupted businesses across the world appear to have accessed the ransom payments they raised.
Just over £7,900-worth of virtual currency has been moved from the Bitcoin address listed in the blackmail demand that appeared on hacked PCs.
One expert said there was little doubt the funds had been tapped by those responsible for the crime.
And it seems they have now made a fresh ransom demand.
However, analysts suggest the move is intended to confuse investigations into the matter.
In other related developments, Ukraine’s interior minister has said the police managed to prevent a second wave of attacks by shutting down and confiscating computer servers used by a local software company, which is thought to have unwittingly helped the Petya-variant virus to spread.
And after having repeatedly denied any involvement in the transmission of the malware, the developer Intellect Service has acknowledged an upgrade to its MeDoc tax software was indeed “contaminated”, allowing the attack to be carried out.
“As of today, every computer which is on the same local network as our product is a threat,” the company’s chief executive Olesya Bilousova told reporters.
She added that one million computers in Ukraine had MeDoc installed on them.
The police have recommended that everyone stops using the program and turns off computers that have it.
Although the majority of the detected attacks occurred within Ukraine, according to analysis by security firm Eset the malware also affected businesses across the world.
Their computers became inaccessible after the code spread over their internal networks, scrambling a part of the PCs’ operating systems used to locate where files are stored.
High-profile casualties included Nurofen-maker Reckitt Benckiser, Oreo cookie manufacturer Mondelez International, the shipping group Maersk and the advertising agency WPP.
Most of those struck did not, however, pay the ransom demand. This was in part because the email address given by the attackers to contact them was shut down by its German operator.
And until Tuesday, the funds that were raised lay dormant.
But at 22:32 BST on Tuesday, three transfers were triggered.