What evidence is there that this is actually the SolarWinds hackers and not someone who uploaded some random encrypted files and is hoping to trick people into sending them money?
There’s a PGP signature, but as far as I’ve head the attackers didn’t leave behind any other messages to prove it was signed with the same key.
And it does not seem a very serious attempt either. The only way to make this deal is through a single listed protonmail address that if this gets any traction will be closed in all likelihood. Not like an onion site with a contact page or something.
Not really.
The message is PGP signed. If the protonmail address is taken down, then another message will be put out with alternate means of contact that will have a correct PGP signature.
If you read the message there is indeed an onion address as backup in case things get taken down.
The PGP address is the important part. No matter what gets taken down, if they can get attention to another message with a valid PGP signature, then they can carry on easily.
EDIT: This is actually how Cicada3301 of all people operated. The PGP key allowed them to post a message even on Pastebin or /x/ and they would still be contactable and effectively uncensorable, because their identity was persistent and their messages were replicated.
As a side note, with so much attention on replacing PGP, I've long though the turning point would be when a group like this uses something else. It's just a highly visible thing and it's a group that a lot of people assume know what they are doing.
> with so much attention on replacing PGP
There actually isn't much attention on replacing PGP with anything specific.
What other completely decentralized alternatives exist with no single point of failure? libsodium? That's a good start but a long way from a complete alternative.
Plenty of quasi-centralized encrypted chat "apps" keep pretending they offer what PGP offers. The clueful ignore these gesticulations.
Indeed, for a side project I have, I have a problem I want to be able to solve of "encrypt a file with a passphrase in a way that's secure and can be decrypted with standard tools". PGP is the best option for this, but I'm resisting implementing it in the hope I can find something better.