Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com)

← Back to Stories (view on slashdot.org)

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com)

Posted by msmash on Tuesday June 27, 2017 @08:41AM from the interesting-turns dept.

Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.

182 comments

Min score:

Reason:

Sort:

The Nuclear Option by trg83 · 2017-06-27 08:45 · Score: 5, Interesting

While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
1. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 08:52 · Score: 2, Insightful
  
  You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
2. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 08:57 · Score: 1, Insightful
  
  How does it hurt the ransomware creators? When you pay the ransom, you're placing your trust in criminals to give you the decryption key after they have your money. I suppose your argument is that when people don't receive the decryption key, it will lead to people not paying the ransom. However, short of reading news reports about this, people won't discover the email address has been taken down until after they've already paid the ransom. One issue here is that the NSA needs to be held accountable for hoarding vulnerabilities instead of working to increase security. The NSA is working against the American people in many cases, or so it seems. I also believe that there should be OS-level protections such as keeping shadow copies of files around that don't get removed without user intervention.
3. Re:The Nuclear Option by The+MAZZTer · 2017-06-27 09:02 · Score: 1
  
  The question is, is the ransomware hardcoded with the old e-mail? If so getting a new e-mail address won't help him at this point unless he starts all over with sending out a new version of the malware to infect new victims.
4. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:06 · Score: 2, Insightful
  
  Fuck the lives of the arseholes who are encouraging and funding ransomware infections. The only true victims are the ones that don't pay. The ones that do pay are helping create more victims. This isn't a nuclear option, none of the innocent victims are hurt by this. In fact, because of this, the damage the arseholes cause will be mitigated, and the only people who suffer from this, are the arseholes.
5. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:06 · Score: 4, Insightful
  
  Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".
6. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:09 · Score: 0, Troll
  
  > While this doesn't do anything to improve life for the poor folks trying to retrieve their files
  Oh those poor snowflakes. Won't someone think of the poor people who couldn't set up one of the myriads of automated backup mechanisms - both local and "in the cloud" - that are available today?
  Won't someone think of the poor sysadmin that still uses a script to back up his files - that has been failing since 2002 - instead of a robust and proven software solution?
  Won't someone think of the poor manager, who has been told exactly 28553 times (I saved the emails) that we needed to start taking security seriously, and implementing a robust backup policy because of exactly this sort of thing?
  Poor, poor users. Victims of their own incompetence and stupidity. They got exactly what they deserved.
7. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 09:13 · Score: 0
  
  I thought this when I saw the photos. The malware is so slick in other regards that I'm almost surprised they didn't think of this.
8. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 09:16 · Score: 0
  
  You're the douche that didn't secure their networks tool bag.
9. Re: The Nuclear Option by Rockoon · 2017-06-27 09:16 · Score: 3, Insightful
  
  The NSA is working against the American people in many cases
  ..and against the world in the rest of the cases.
  
  --
  "His name was James Damore."
10. Re:The Nuclear Option by gweihir · 2017-06-27 09:18 · Score: 4, Insightful
  
  I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re:The Nuclear Option by EvilSS · 2017-06-27 09:19 · Score: 1
  
  While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
  But they still get paid. It will take time for people to find out they can't get their files back even if they pay. Many people will never know. You want nuclear option, find a way to seize their bitcoin wallets or block transactions to it.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
12. Re:The Nuclear Option by Zocalo · 2017-06-27 09:20 · Score: 1
  
  Most malware these days is multi-stage; the initial exploit package will then download a payload which, in this case, would likely be the ransomware toolkit, and that would also most likely include the email. A quick update to the payload would fix the scammer's problem with the Posteo email, but that's not going to help all that much now anyway. None of the PCs that are already infected are likely to be re-infected by the updated payload - they're stuck on the ransom screen for the old version - and AV vendors will be probably getting updates out fairly soon as well which negates the old exploit package. Their only real option is to re-spin both packages and start over.
  
  I wonder if anyone has managed to make a violin shape by pushing some individual atoms around with an STM yet, because that's the only way there would be one small enough to properly express how little I care for their troubles.
  
  --
  UNIX? They're not even circumcised! Savages!
13. Re:The Nuclear Option by thegarbz · 2017-06-27 09:21 · Score: 1
  
  this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option
  It's a nuclear option against a metaphorical cockroach. Blocking an email service will do nothing to stop people who are able to program malware like this. Any idiot can set up an email server. A slightly clever idiot can do so properly. These guys will not be stopped by the inability to use someone else's email service.
14. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:22 · Score: 0
  
  The money still reaches the hacker's account, they just don't have any way to send the keys back to them. So the hacker profits and the victims have no way to get their files back. That won't 'end the war', it just hurts the victims more.
15. Re:The Nuclear Option by barc0001 · 2017-06-27 09:25 · Score: 4, Insightful
  
  > You really think malware creators won't be able to find any email providers that are friendly to their cause?
  Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.
16. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 09:26 · Score: 0
  
  Grandparent has definitely been successfully phished at least three times in 2017 alone.
17. Re: The Nuclear Option by barc0001 · 2017-06-27 09:29 · Score: 1
  
  It hurts the ransomware creators by cutting off their ability to receive those payments. Makes it less profitable to do ransomware, and more risky for the money you did get. Look at it this way: If you set a forest on fire and burned a million acres, but got $250,000 to do it, the risk/reward/effort equations work out in your favor. But if the next time you burned another million acres you only got $6000 for it, you would probably decide that in light of the effort involved and the amount of heat from law enforcement coming down that further attempts are too risky for too little reward.
18. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:33 · Score: 0
  
  I was hoping the nuclear option was to find who is running these malware attacks and literally nuking them.
19. Re:The Nuclear Option by chispito · 2017-06-27 09:34 · Score: 1
  
  the fallout is likely to hurt many unintended targets,
  Yes, exclusively
  
  but it could end the war.
  It won't.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
20. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 09:35 · Score: 0
  
  Yes, they still got paid. And the victims that paid money and still lost all their files are the worst off of all. However when word gets around about what happened and it becomes common knowledge that people who pay ransomware still don't get their files back, people will know to stop paying.
  Of course there will be a few who pay up in the vain hope that it would work, but if the majority of people know that it's just throwing good money after bad, then the business model of these ransomware writers will fall over. (fingers crossed).
21. Re:The Nuclear Option by Rei · 2017-06-27 09:38 · Score: 1
  
  Of course they can find a different email provider. But the version that's gone out and infected people - victims who presumably won't be infected twice - has used this email address, which is no longer valid.
  What I find interesting about this article is that they're using a commercial email service with a known account. While Posteo doesn't collect or store IP addresses, I would think that they could be subpoenaed to return future IP information for future attempts to log into the account. Also, if the account was left open, subpoenas could also be issued upstream; even with encrypted traffic, they could probably match IPs by timing (aka, the attacker's click generates a request to send an email, which is presumedly sent with virtually no delay, so the two could be matched up - unless Posteo imposes some sort of significant delay.
  They could of course be connecting to Posteo through Tor. But there are plenty of ways to attack targeted Tor users as well.
  
  --
  "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
22. Re:The Nuclear Option by slew · 2017-06-27 09:44 · Score: 1
  
  I wonder if anyone has managed to make a violin shape by pushing some individual atoms around with an STM yet, because that's the only way there would be one small enough to properly express how little I care for their troubles.
  No violins that I'm aware of yet but here's a really small harp for the swan song...
23. Re:The Nuclear Option by EvilSS · 2017-06-27 09:55 · Score: 2
  
  Yes, they still got paid. And the victims that paid money and still lost all their files are the worst off of all. However when word gets around about what happened and it becomes common knowledge that people who pay ransomware still don't get their files back, people will know to stop paying. Of course there will be a few who pay up in the vain hope that it would work, but if the majority of people know that it's just throwing good money after bad, then the business model of these ransomware writers will fall over. (fingers crossed).
  You mean like how word got out about ransomware being a thing and therefore everyone now makes sure they have solid offsite backup schemes in place now?
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
24. Re:The Nuclear Option by iamgnat · 2017-06-27 09:56 · Score: 1
  
  While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
  WTF does the asshat at the other end of the malware care if the email account works or not? Most aren't going to find out that it's a dead email address until they've already paid. So asshat already has the money, what do they care about your files?
25. Re: The Nuclear Option by bestweasel · 2017-06-27 09:58 · Score: 4, Insightful
  
  "eliminate the incentives for ransomware creators"
  This assumes that the ransom is their main incentive.
26. Re:The Nuclear Option by thewolfkin · 2017-06-27 10:02 · Score: 1
  
  You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
  or just non-email options. I mean it might be necessary every barrier makes it harder to do but easy enough to setup a masked chat service somewhere.
  
  --
  Just another second banana
27. Re:The Nuclear Option by tlhIngan · 2017-06-27 10:05 · Score: 1
  
  It will take time for people to find out they can't get their files back even if they pay.
  
  That's the reason.
  Think about it for a second. Ransomware only works when the malware developers are honest. In fact, many will walk you through the process of getting bitcoins and how to fix your computer, because they know it takes just one f**k-up to hose the entire business model.
  All the user has is trust. Trust in that if they do these things, they'll get their data back. Once that trust is violated, it's game over.
  So if the user sent the money, and didn't get the unlock key, you think the user will go around paying next time? No, and in fact, they'd post all over facebook about how they got ripped off and thus ending the problem once and for all. In fact, the malware authors are probably scrambling because they know that new victims are getting snared and there's no way to tell them how to pay to get their data back. And those new infected users are likely to be the ones who blast out that they got screwed over.
  Letting users get screwed is the way to kill ransomware. If users cannot trust the person who holds their data hostage to give it back, they'll be unlikely to pay the person at all, leaving no money in it.
  Harsh, but true. As long as people know that if they can pay, they'll get their data back, they will continue to pay. If people pay and get ripped off, they're not likely going to pay, and they'll tell others who are in the same boat that they got screwed so don't bother paying.
28. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 10:09 · Score: 0
  
  Almost everyone will have paid before they get the "undeliverable" response in their email. You may argue that cutting the guy's email off will prevent people paying in future cycles, but this time around it looks like cutting off the email actually screws the paying victims, not the creator.
29. Re:The Nuclear Option by Northdot · 2017-06-27 10:29 · Score: 2
  
  How would the victim get the decryption key? Just curious.. I'm sure there is a way, but it doesn't seem obvious.
30. Re: The Nuclear Option by gbjbaanb · 2017-06-27 10:29 · Score: 1
  
  It certainly hurts the next gen of ransomware if they know they won't be able to get their cash.
  I thought though that they haven't actually paid the ransom until it was collected?
  As for shadow copies - get a backup solution, Mozy, Crashplan, etc all have free options that will backup your "My Documents" folder and they all keep histories of files backed up.
31. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 10:32 · Score: 1
  
  My understanding this does not cut off their ability to accept payments since it is done though bitcoin. They can still get all the payments no problems. However now the affected users have no way of contacting them to get their decryption key after they have sent payment, and if they aren't paying attention to stories like this they would have no way of knowing that the email is not valid until after they have sent their payment and then send the email and get a bounce back.
  So now even if the malware author was going to provide working decryption keys in exchange for the ransom, they can now just take all the payments and throw their hands in the air and be like well i can't do anything now since the email access was revoked.
32. Re: The Nuclear Option by guruevi · 2017-06-27 10:47 · Score: 2
  
  You could ask to pay 1.xxx BTC and then refund them 0.1xxxx or whatever arbitrary value you like.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
33. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 10:51 · Score: 0
  
  They can "throw their hands in the air" but people gets the message: "Paying the ransom won't get your files back"
  It doesn't matter if the bad guys "doesn't care" or "are sorry but have problems with their email provider". Paying doesn't work - so next time people won't try paying.
34. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 10:56 · Score: 0
  
  Offsite backup is not needed to guard against ransomware. A backup server in the server room will be enough. Offsite is for guarding against "building burned to the ground" scenarios - or thugs running off with all the equipment.
35. Re: The Nuclear Option by viperidaenz · 2017-06-27 11:43 · Score: 1
  
  That would be awesome, since the smallest BTC is 0.00000001, that only leaves 10 million possible decryption keys. Any one could brute force a 24bit key in minutes.
36. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 11:58 · Score: 0
  
  So you think that if someone pays the ransom and gets the decryption key, they're likely to pay it next time?
  A more likely scenario is that after the first time, they start keeping backups.
37. Re: The Nuclear Option by Miamicanes · 2017-06-27 12:00 · Score: 2
  
  The catch is, then you're either stuck paying monthly fees for several terabytes of cloud storage in perpetuity (and dealing with a multi-day, multi-terabyte upload for that first backup that effectively makes the computer and your internet connectivity unusable until it completes), or have to use local storage that itself is vulnerable to ransomware.
  Yes, I'll admit it. I'm a data-hoarder (my laptop ALONE has a 1TB SSD and a 2TB hard drive, with an additional 6 1-3TB (mostly full) hard drives in the closet)... and I'm now metaphorically in the same position as a crazy cat lady with 9 storage units, a house that's packed floor-to-ceiling, and a neat, tidy condo that's kept neurotically decluttered (because everything that WOULD clutter it goes into one of the storage units or uninhabitable house for storage in perpetuity).
  We're talking about SO MANY FILES, just doing something like "dir/s g:" on one of the older USB2.0 drives can take almost a day to finish running. And 2 of THOSE drives basically contain the entire contents of a MOUNTAIN of even older 20-500GB hard drives (at USB 1.1 speeds, just COPYING them to the new drives ended up soaking up most of my free time for about 3 weeks).
  Every time I try to deduplicate and clean up the files, I end up making things even worse:
  1. Make complete backup onto new hard drive big enough to hold all the existing files. Usually, with compression, since it's the only way to keep the backup down to a manageable size.
  2. Start cleaning out the original files.
  3. Something goes badly wrong.
  4. Now, I have a complete backup that can't be directly compared to the remaining files (because it's compressed and/or in some proprietary format) that can't ever get rid of (because of the unknown files corrupted in step 3 that are safely backed up, even if I don't know which files they are), AND I have almost as many original files as I started with. So the next time I try doing this, I'll have twice as many files to deal with.
  It's the zipfiles of image backups in tarballs of tarballs from past attempts that cripple me the worst... too many to scrutinize by hand, but ALSO too many to risk losing forever by doing any kind of in-place automated action when something will inevitably go wrong.
38. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 12:05 · Score: 0
  
  No one is getting their files back. How fucking stupid can you be? Yes, I expect the criminal who just scammed me out of $300 is actually interested in running a customer service operation and will be investing time and money in handing out keys to everyone. FUCK ME PEOPLE ARE SO DUMB.
39. Re:The Nuclear Option by Dunbal · 2017-06-27 12:07 · Score: 2, Insightful
  
  Prayer. And it will be just as effective as any other prayer. Why the hell should I give you anything back? You think I'm worried about my "business image" and brand? Honor among thieves? This generation is so naive.
  
  --
  Seven puppies were harmed during the making of this post.
40. Re: The Nuclear Option by guruevi · 2017-06-27 12:09 · Score: 1
  
  Then make it a series of transactions, you could even encode a checksum if you'd like.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
41. Re: The Nuclear Option by Dunbal · 2017-06-27 12:10 · Score: 1
  
  by cutting off their ability to receive those payments.
  I guess you have no idea how a bitcoin wallet works.
  
  --
  Seven puppies were harmed during the making of this post.
42. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 12:50 · Score: 0
  
  If it was simply this generation that was naive, then it would be in this generation that currency was given its value by decree. Societies that embrace fiat currency and fractional reserve banking deserves nothing less than an entire society of thieves.
43. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 12:52 · Score: 1
  
  Easy, set up a TOR site instead of some crappy email service. And it could even automate the bitcoin transfer verification and supply the unlock code.
44. Re:The Nuclear Option by FeelGood314 · 2017-06-27 12:58 · Score: 2, Informative
  
  The malware creator will obviously be honorable because he has to prove that he will unlock the files of the other people who pay. The malware creator actual has more concern about his business image than most companies you deal with.
  
  Just because YOUR generation has no respect for integrity doesn't mean it isn't valuable.
45. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 12:59 · Score: 1
  
  Or just purchase 2 cheap NAS boxes (6 TB each are relatively cheap) and put one at a friend's place after the initial first-time sync. Very cheap and easy. Backups are done nightly between the two NAS in both directions because friendly friend paid for half the gear. He needs backups, too. Each backup is diff-only. We hold 60 days worth of backups before overwriting so we have a way to recover if we start backing up crud. Checkout rsync and rsync snapshot software. This is way cheaper than any cloud storage. Once you're up and running, you can putter around de-duping and cleaning up all you want. You'll have 60 days to check over your changes and revert if you don't like them.
46. Re:The Nuclear Option by Dunbal · 2017-06-27 13:24 · Score: 1
  
  In your little fantasy world perhaps. In reality, ZERO files were unlocked by WannaCry authors, and ZERO files have been unlocked by Petya authors so far.
  
  --
  Seven puppies were harmed during the making of this post.
47. Re:The Nuclear Option by Gavagai80 · 2017-06-27 13:37 · Score: 2
  
  they'd post all over facebook about how they got ripped off and thus ending the problem once and for all.
  
  Are most people really going to tell everyone that they paid off a criminal organization? No, they're going to be ashamed of that (and perhaps worried that it's illegal) and pretend that part didn't happen.
  
  --
  This space intentionally left blank
48. Re: The Nuclear Option by Gavagai80 · 2017-06-27 13:39 · Score: 1
  
  It's the only incentive for ransomware. If a malware author/distributor is motivated by other things, they write/distribute other kinds of malware.
  
  --
  This space intentionally left blank
49. Re: The Nuclear Option by viperidaenz · 2017-06-27 13:46 · Score: 1
  
  So the victim is expected to make 10+ transactions of an exact amount in the specific order and hope the criminal responds by giving them back some money over 10+ transactions? The criminal would make more money if they didn't follow through with it.
  Giving back even a 256 bit encryption key would require 78 digits of data. To do that in 10 transactions would cost on average 5BTC (all 8 decimal places filled with data, averaging 0.50000000 BTC each)
  Over 20 transactions with 4 digits of data is 0.00005 * 20 = 0.0002BTC = $0.50USD
  However assuming RSA asymmetric encryption a 256bit key is completely useless. 1024bit keys are brute force-able
  A slightly more reasonable private key is 2048 bits, requiring 617 decimal digits. You now have to wait for the criminal to make 78 transactions, costing them up to 78BTC, or 160 transactions costing them on average 0.00005 * 150 = 0.0075BTC = ~$20USD
  Then you have to collate the transactions, order them and type in 617 digits without making a mistake.
50. Re:The Nuclear Option by Bert64 · 2017-06-27 15:29 · Score: 1
  
  All it does is further punish those who want to retrieve their files (assuming the ransomware creator would actually honor the payment, of which there is no guarantee)...
  Future malware creators will just use a different email provider or some other method of communication, they won't be deterred from their activities in the slightest.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
51. Re: The Nuclear Option by negRo_slim · 2017-06-27 15:32 · Score: 1
  
  If their data is important enough, yes. And it's not money being given back, its the data represented in those refund values that they must send to ensure people can trust them to unlock the files in the first place..
  
  --
  On the Oregon Cost born and raised, On the beach is where I spent most of my days
52. Re:The Nuclear Option by Bert64 · 2017-06-27 15:35 · Score: 1
  
  But we don't know how the petya authors would respond upon receiving a ransom payment.. Maybe they would unlock the files but we won't be able to find out now.
  It's actually in their interest to unlock files upon receipt of the ransom, as that will increase the chances of any future victims paying too. If files never get unlocked then users won't even consider payment.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
53. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 15:37 · Score: 1
  
  It could be a distraction for something else. For much of the day, the world was running around with its hair on fire about "zomg global ransomware attack," and lots of admins spent their entire workdays frantically patching systems / disabling smbv1 / verifying prior patches. Who knows what else snuck under the radar that won't be noticed for awhile, if ever?
54. Re: The Nuclear Option by Bert64 · 2017-06-27 15:40 · Score: 1
  
  Depends how big the ransom is...
  Users may decide that the cost of paying the occasional ransom is easier/cheaper than the hassle and cost of making backups and improving their security practices.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
55. Re: The Nuclear Option by trg83 · 2017-06-27 15:43 · Score: 1
  
  Anything that increases doubt in a victim's mind that a ransom would be successful decreases the expected value of a ransomware creator's haul, thus diminishing their incentive. It's not that the malware can't move to another domain or morph to use a strategy--my point is only that the ransomware business is based on the perception they will deliver what they offer, and any chink in that confidence is a net win.
56. Re:The Nuclear Option by Dunbal · 2017-06-27 15:49 · Score: 4, Insightful
  
  The more contact you have with your victim the more chances you have of being caught by law enforcement, silly. If I was a criminal I'd take a quick couple thousand bucks worth of bitcoin and disappear without a trace over trying to "score big" and having them catch me via my email correspondence sending out "keys". Hundreds of thousands/millions of dollars are no consolation when your ass is thrown in jail forever and all your assets seized before you can ever enjoy them.
  
  --
  Seven puppies were harmed during the making of this post.
57. Re:The Nuclear Option by Anonymous Coward · 2017-06-27 16:03 · Score: 0
  
  A malware creator or a dumb kid using maas does not have a business, much less a business image... they just hope for a few people dumb enough to pay up! And then they take the money and run!
  If we did not have crypto currency or if it was not recognized by legitimate entities, they we would be less vulnerable to crap like ransomware
58. Re:The Nuclear Option by Bert64 · 2017-06-27 16:38 · Score: 1
  
  Assuming the backup server is correctly configured, and access to it cannot be obtained using credentials acquired from one of the servers being backed up...
  If the ransomware can spread onto the backup server, then it can encrypt/destroy your backups too unless they're stored on media that has been physically disconnected from it. In most places i've seen, the backup server (if there was one at all) was joined to the same domain as everything else, once you compromise the domain you control the backups too.
  Chances are the backup server is also on the same patch schedule, so if your boxes got infected because they were out of date your backup server could easily get infected in the same way.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
59. Re: The Nuclear Option by Bert64 · 2017-06-27 16:43 · Score: 1
  
  They might be motivated solely by a desire to cause chaos and destruction, and reusing existing ransomware code was easier than writing new code for wiping data. Or perhaps they derive a perverse pleasure not only from destroying people's data, but also from giving them false hope that it could ever be recovered.
  There was at least one ransomware family i read about which encrypted the data using a random key, and then completely discarded the key making the data unrecoverable.
  There are plenty of evil and/or crazy people out there, we can't possibly know all of their motives.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
60. Re: The Nuclear Option by behrooz0az · 2017-06-27 18:33 · Score: 3, Insightful
  
  I really want to downvote this comment chain "Idiot -1" Why not just give them back a private pastebin ID with the key in it?
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
61. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 21:05 · Score: 0
  
  *sudden outbreak of common sense*
  Except that'd put pastebin next on the chopping block.
62. Re:The Nuclear Option by AmiMoJo · 2017-06-27 23:37 · Score: 1
  
  I wonder if it creates legal liability for them though... Maybe somehow who knows more about German law can comment, but in other places it might be possible to argue that some of the losses resulting from the ransomware were due to losing the ability to pay it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
63. Re: The Nuclear Option by Anonymous Coward · 2017-06-27 23:41 · Score: 0
  
  Not even. Bitcoin addresses aren't meant to be reused. Each victim should be instructed to deposit to a specific address.
64. Re:The Nuclear Option by AmiMoJo · 2017-06-27 23:45 · Score: 1
  
  The risk/reward ratio is terrible. Unlike simpler ransomware that mostly affected home users and small businesses, this NSA powered variant is hitting hospitals, infrastructure, big businesses and governments. No matter how much money you make, it probably won't be of much use to you. You will need to launder it before you can use it, and you have law enforcement coming after you, the NSA probably wants their exploit back and is looking for you too...
  You will end up either hiding and not being able to enjoy your money, or unable to collect it, or in jail, or some combination.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
65. Re: The Nuclear Option by AmiMoJo · 2017-06-27 23:53 · Score: 1
  
  I have about 5TB of data backed up to the cloud (SpiderOak, fully encrypted on my end of course). Took a few months to get the initial upload done, and maintaining it is at most an overnight job now. I'm paying $120/year for unlimited storage, which admittedly was a special offer a few years back.
  For commercial scale backups you would start by mailing some hard drives to the backup provider.
  Cost wise, Google Coldline is $7.168/month/terabyte. If I'm reading it right, uploading data is free, you only pay if you need to download it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
66. Re:The Nuclear Option by wvmarle · 2017-06-28 00:09 · Score: 1
  
  More likely it's going the same way those prescription drug offers and Nigerian scams go: just more of them, as there are always new victims to be found.
67. Re: The Nuclear Option by Anonymous Coward · 2017-06-28 00:52 · Score: 0
  
  There's no asymmetric keys involved usually, just the symmetric AES/whatever key which can be 256bits and is still usable, it would also be possible to use Elliptic curve keys if asymmetric encryption is needed for some reason as they're significantly smaller than RSA key of equivalent strength.
68. Re: The Nuclear Option by Dr.+Evil · 2017-06-28 01:27 · Score: 1
  
  That's why you use Dogecoins instead. Then you get both sides of the decimal point.
69. Re:The Nuclear Option by Anonymous Coward · 2017-06-28 01:48 · Score: 0
  
  If the criminal scammed you out of $300 and you knew he wouldn't be paying...aren't you the one who is SO DUMB?
  Why did you even bother paying ???
70. Re:The Nuclear Option by Anonymous Coward · 2017-06-28 02:25 · Score: 0
  
  So as a victim, I pay, get my ids to email, send the email and it bounces...
  My end results - my money is gone, my files are gone
  Hackers end result - still get the money, dont have to send anything to unlock the files.
  Not sure how this is helping anyone.
71. Re: The Nuclear Option by Anonymous Coward · 2017-06-28 03:17 · Score: 0
  
  To be fair, working against the rest of the world is their job. I'm not saying that's a good idea, but the anger at them over spying on non-US entities is a bit misplaced, it needs to be aimed at the legislators who gave them that mandate by creating and funding them
72. Re:The Nuclear Option by EvilSS · 2017-06-28 04:30 · Score: 1
  
  because that was the important take-away from the post you replied to.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
73. Re: The Nuclear Option by Anonymous Coward · 2017-06-28 05:47 · Score: 0
  
  The ransomware creator has already gotten his money . It's the victim on the other end who paid and still cannot get their files unlocked. Couldn't the email address form part of an investigation to find the hacker/s instead of shutting it down?
74. Re:The Nuclear Option by Mike+Van+Pelt · 2017-06-28 06:26 · Score: 1
  
  They're also hitting Russian infrastructure with this one. Speaking of the nuclear option, how about a sprinkle of polonium 210?
75. Re: The Nuclear Option by bestweasel · 2017-06-28 08:41 · Score: 1
  
  Things aren't necessarily as they seem.
  
  A ransomware attack that affected at least 2,000 individuals and organisations worldwide on Tuesday appears to have been deliberately engineered to damage IT systems rather than extort funds, according to security researchers.
76. Re:The Nuclear Option by gweihir · 2017-06-28 11:39 · Score: 1
  
  The way I read German law, it does not. They may not _delete_ email without explicit consent (that is why German email providers legally are obliged to keep SPAM, usually putting SPAM in a separate folder), but they can always say that they will hand email over if the customer identifies itself. Also, in order to file a complaint, the customer would have to identify himself to the police.
  So I think as long as they keep the email and just not deliver it anymore, they are perfectly in the clear.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well shit... by TheCastro1689 · 2017-06-27 08:49 · Score: 1

Looks like hackers need to use email servers from companies that don't give a shit, or make their own.
1. Re:Well shit... by Megane · 2017-06-27 09:10 · Score: 2
  
  Or they could ask their victims to make random posts on /. and have the codes look like the Baynesian spammer with stuff like "goat.cx" and "frist post" in certain combinations. Then nobody will ever know what they're doing.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
2. Re: Well shit... by Anonymous Coward · 2017-06-27 09:27 · Score: 0
  
  If they make their own email server they are much more traceable. That involves an ip and server paid for by someone some how. A webmail acount can be setup untraceable if you want to.
3. Re:Well shit... by Anonymous Coward · 2017-06-27 09:38 · Score: 0
  
  It's amazing how dumb rensomware still can get this big. Why make a central point of failure? The local installation could generate a new bitcoin address where the victem can send there bitcoins. The local installation can then forward the money to the attackers bitcoin address inclusing any keys that may need to be send, all stored in the blockchain. When the local installation determins that all payments have reached the attackers bitcoin address, it could decrypt the files. Using email is just lame.
4. Re: Well shit... by Anonymous Coward · 2017-06-27 10:25 · Score: 0
  
  Thank you. Now please type "transgender bathroom" into the unlock code box and your files will be unencrypted.
5. Re:Well shit... by freeze128 · 2017-06-27 12:45 · Score: 1
  
  If the criminal ever tries to call support to unlock his account, I'm sure the authorities would track down the call and find his location. But he doesn't ever need to log into his email ever again. If he controls an upstream system, he could just inspect the traffic. Email is sent in clear text.
6. Re: Well shit... by Anonymous Coward · 2017-06-27 14:00 · Score: 0
  
  It's not hard or expensive to setup a server on TOR.
Instead of doing that... by Anonymous Coward · 2017-06-27 08:49 · Score: 1

They could've just cooperated with the authorities to unmask the scumbag.
It just take a moment of inattention on his part to not use a vpn/tor/whatever else that mask his IP.
Disturbing by Anonymous Coward · 2017-06-27 08:49 · Score: 1

From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."
That statement by itself is disturbing enough as it is.
1. Re: Disturbing by Anonymous Coward · 2017-06-27 09:13 · Score: 0
  
  Honestly, there are cases where windows should simply be banned. Forbidden by law.
2. Re: Disturbing by david_thornley · 2017-06-27 09:29 · Score: 3, Funny
  
  Windows would be a lot less popular if we just banned glass and other transparent materials.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
3. Re: Disturbing by kit_triforce · 2017-06-27 09:30 · Score: 0
  
  And this would help how? Every OS has security holes.
  Every. Single. One.
  Without exception.
  Why? Because no matter how clever we are, these are all created by fallible humanity, and there is some way to circumvent, interrupt, override, overpower, or simply break it (even if it's just with a well aimed rock).
  Windows was the biggest and the most installed, and thus it had the most people attacking it and finding flaws, holes, and weak points of every kind. If all the Windows OS systems were scrapped today, the brains behind these attacks would simply move to the next most profitable target and do the same again.
  Microsoft and Windows have obvious issues, but they are not unique or limited to themselves. All you can do is try to make it too hard for the criminals to turn a profit (or gain whatever power they seek).
4. Re:Disturbing by Anonymous Coward · 2017-06-27 11:12 · Score: 2, Insightful
  
  From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."
  That statement by itself is disturbing enough as it is.
  Why is it disturbing? Do they expect the radiation levels around Chernobyl to go up?!
5. Re:Disturbing by Anonymous Coward · 2017-06-27 11:24 · Score: 0
  
  But...that's a violation of Microsoft's EULA!
6. Re: Disturbing by Anonymous Coward · 2017-06-27 12:13 · Score: 0
  
  You're right, all software created by humans has the same number of security vulnerabilities no software is any more secure than anything else.
  OpenSSL had Heart Bleed so we may as well use ROT13 for all online transactions.
7. Re: Disturbing by Bert64 · 2017-06-27 17:10 · Score: 1
  
  Because windows is less modular than other systems that would be more suitable to tasks like this.
  You want a tiny embedded system with the smallest possible attack surface, not a large general purpose system like windows with stacks of legacy cruft and features which are totally irrelevant to the task at hand. The less code you have, the less chance of security holes being found. Sure nothing is perfect, but a system which is 10% of the size is going to be far safer.
  The other issue is monoculture, if everyone runs the same software everyone has the same vulnerabilities and an attack can cause widespread chaos. If a system is important, you should have a backup which is running on something else (like Chernobyl having a manual system).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
8. Re:Disturbing by Anonymous Coward · 2017-06-27 21:11 · Score: 0
  
  Why is it disturbing? Do they expect the radiation levels around Chernobyl to go up?!
  YES, you fucking idiot.
What was Posteo supposed to do? by Rosco+P.+Coltrane · 2017-06-27 08:50 · Score: 4, Interesting

Let the scammer's email addy active and be accused of being accessory to racketeering?
Tough shit for the ransomware victims, but they just had to do it.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:What was Posteo supposed to do? by Anonymous Coward · 2017-06-27 09:03 · Score: 2, Insightful
  
  Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.
2. Re:What was Posteo supposed to do? by fred6666 · 2017-06-27 09:07 · Score: 3, Interesting
  
  maybe they already have that information? What more could they learn by leaving the account active for longer?
3. Re:What was Posteo supposed to do? by Anonymous Coward · 2017-06-27 14:11 · Score: 0
  
  False. Posteo took no part in the racket and did not benefit from the racket. It would be like charging Ford for racketeering because one of the racketeers drove a Escort.
4. Re:What was Posteo supposed to do? by Aristos+Mazer · 2017-06-27 15:41 · Score: 1
  
  Once they knew about it, allowing the scam to continue... wouldn't that be aiding and abetting?
5. Re:What was Posteo supposed to do? by Bert64 · 2017-06-27 17:15 · Score: 1
  
  No, what Posteo did is more like replacing illegal drugs (which *can* be harmful and/or deadly) with cyanide (which is always deadly).
  Prior to Posteo's actions those victims had a chance (however slim) of recovering their data, now they have no chance due directly to the actions of Posteo.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:What was Posteo supposed to do? by Anonymous Coward · 2017-06-27 23:24 · Score: 0
  
  its faster for the email provider, who is NOT in the business of helping anyone
  you shut it down inmediately for doing something against your email service rules, people cant pay but thats not your problem, at the beggining of the whole clusterfuck you probably dont have more than a couple of logs, you put those logs on your twatter page for any police in the world to check out, and thats it you dont need to do any more work. Thats what i would do too, less work possible, fuck microsoft and their shit software that they are clearly not testing, fuck people that dont patch because microsoft doesnt test their software or because they are lazy, fuck institutions that buy shit software with everybodys money, fuck the affected that should have backups anyway, and fuck the creators of the virus. All of them, fuck every single one of them
  if its not something that its my fault, im going to go the route of doing the less work i humanely can. And anybody not doing that is fucking stupid, life is too short to fix other people shit, and we are in summer already, fuck them all
Good. by Anonymous Coward · 2017-06-27 08:52 · Score: 2

Stop paying fucking ransoms you fucks.
Black death by roman_mir · 2017-06-27 08:53 · Score: 0

Almost 700 years ago a massive plague wiped out tens or maybe hundreds of millions of Europeans and today a computer virus caused massive outages of service for retailers, banks, manufacturers, airports and government offices (the most irrelevant of all problems, maybe an actual benefit even). Obviously this is all connected and it's Russia that caused it obviously (Petia - diminutive of Petr or Peter if you like.)

--
You can't handle the truth.
It would be funny, except ... by El+Cubano · 2017-06-27 08:54 · Score: 4, Insightful

It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security.
1. Re:It would be funny, except ... by Anonymous Coward · 2017-06-27 09:12 · Score: 0
  
  It would be funny, except that people are paying the ransom and not getting their files back.
  Pays ransomware arsehole, gets fucked with arsehole's ransomware. Why's that not funny?
2. Re:It would be funny, except ... by DRJlaw · 2017-06-27 09:22 · Score: 1
  
  It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].
  So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.
  Screw that. Extortionist begone.
3. Re:It would be funny, except ... by Anonymous Coward · 2017-06-27 09:25 · Score: 0
  
  And because email has nothing to do with receiving the money, the hacker is still profiting.
  I get they didn't want to be seen as an accessory, but this action amounts to destruction of the data. I could see them getting sued over this.
4. Re:It would be funny, except ... by Zocalo · 2017-06-27 09:33 · Score: 2
  
  Nope, that's the best part. Not only are the victims going to get schooled on the importance of good backups and security, but they are also going to get schooled on the importance of *not giving in to blackmail*. I'm hoping that the media will be full of stories of people who paid up and still didn't get their files back - sucks to be them, but it could well make subsequent attempts at ransomware not worth the risk for such a pitiful reward. How much did WannaCry yield in the end? A few $100k (assuming they even managed to claim it all)? It isn't going to take much of a change in victim mindset to make even the relatively tiny cost and effort of launching a ransomware campaign not worth the risk of getting caught.
  
  --
  UNIX? They're not even circumcised! Savages!
5. Re:It would be funny, except ... by El+Cubano · 2017-06-27 09:33 · Score: 2
  
  So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.
  Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).
  However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities deserve to suffer the full weight of the law in any and every jurisdiction that can get a hold of them, if not more.
  My reference to The Six Dumbest Ideas in Computer Security was an acknowledgment that educating users (like how to not get hit by phishing attacks in the first place) is an extreme uphill battle which is oftentimes lost. Just look at the frequency and extent of these sorts of attacks.
6. Re:It would be funny, except ... by Grishnakh · 2017-06-27 09:38 · Score: 1
  
  Yes, but the customer is going to continue to extort them anyway, with or without your help: the malware isn't going to magically disable itself just because the email address is defunct. Now they're just going to send their Bitcoin payments and not get anything in return, and the malware author will receive all these nice Bitcoin payments but not be able to decrypt anyone's files, so it's actually less work for him. Of course, one might argue that when word spreads about the email address being suspended that victims will stop sending payments, but I think that's fancifully naive; the victims aren't going to be paying attention to tech news like that. If these victims were really that clued-in, they would have backups and wouldn't pay the ransom in the first place, and would probably have better security procedures to to avoid getting infected.
7. Re:It would be funny, except ... by mark-t · 2017-06-27 09:39 · Score: 1
  
  Because of this thing called compassion. It's not unheard of, you know.
  
  --
  File under 'M' for 'Manic ranting'
8. Re:It would be funny, except ... by DRJlaw · 2017-06-27 09:40 · Score: 1
  
  My reference to The Six Dumbest Ideas in Computer Security was an acknowledgment that educating users (like how to not get hit by phishing attacks in the first place) is an extreme uphill battle which is oftentimes lost. Just look at the frequency and extent of these sorts of attacks.
  I read the initial post as a "educating the non-customers by cutting off the proof-of-ransom communication channel was a dumb idea" criticism.
  My apologies.
9. Re:It would be funny, except ... by DRJlaw · 2017-06-27 09:44 · Score: 1
  
  Yes, but the customer is going to continue to extort them anyway, with or without your help.
  Accessory after the fact is still accessory to a crime. The fact that the customer needs you to be an accessory to mitigate their damage is going to get you --)(-- that much with a prosecutor with a mind to punish anyone they can reach.
10. Re:It would be funny, except ... by Anonymous Coward · 2017-06-27 10:28 · Score: 1
  
  No but it doesn't justify standing by while the whole malware industry surges even further because people are too stupid to back up their files properly.
  If I got hit with ransomware, I wouldn't pay a dime. I'll just wipe the harddrive and restart. I may not be a company but a company should have a LOT more resources available to do proper backups.
  And if events like this happen more often, then some good will come out of it. People will see that even if they pay the ransom they may still not get their files back. As a result, more people will probably not take a chance at paying it. Lost revenue for the criminals. I'm fine with that.
11. Re:It would be funny, except ... by Anonymous Coward · 2017-06-27 10:53 · Score: 0
  
  It's sad you got burnt, but considering you're now pouring more gasoline on it, it's also funny.
12. Re:It would be funny, except ... by mark-t · 2017-06-27 11:25 · Score: 1
  
  I didn't say I wasn't fine with it.... I only suggested how one might not find it funny that someone is unable to recover their lost data, even if they *DO* pay.
  I don't abide paying the ransom for a second, but that doesn't mean I don't feel bad for the people that it happens to.
  
  --
  File under 'M' for 'Manic ranting'
13. Re:It would be funny, except ... by Grishnakh · 2017-06-27 12:04 · Score: 1
  
  Yes, but I'm commenting on the "continuing extortion" bit: the extortion isn't going to stop by you shutting down their email. The extortionist doesn't even have a way to stop it.
14. Re:It would be funny, except ... by Bing+Tsher+E · 2017-06-27 12:04 · Score: 1
  
  The only innocent victims are the people who didn't pay the ransom and won't get their files back.
  The people who paid are financing the criminal's next operation.
15. Re:It would be funny, except ... by vtcodger · 2017-06-27 12:42 · Score: 1
  
  IF I were the email provider, I'd hire lawyer and pay him/her to tell me what to do. Most likely, he/she will contact the authorities, outline the options, and let THEM decide what to do. No matter what they do, said email provider will almost certainly be sued by someone -- very likely lots of someones.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
16. Re:It would be funny, except ... by wideBlueSkies · 2017-06-27 15:01 · Score: 1
  
  If I had points I'd mod you through the roof. Great page!!
  
  --
  Huh?
17. Re:It would be funny, except ... by SuperDre · 2017-06-27 21:19 · Score: 1
  
  Backups? you mean those things that are infected too if the malware has been doing a good job of running for a couple of weeks.. Let's not forget, 'good' ransomware is already working weeks before they show themselves, and in the meantime it will affect all files which are being backedup. You're lucky if you can detect that ransomware way before it shows it's ugly head to you, but a lot of times it isn't.. great now you have a backup... but it's useless.. And in a lot of companies having to revert back to a month old backup is just as bad as not having a backup at all.. In these cases you're lucky if it's ransomware that only encrypts everything and when it's done will immediatly show it's head so you can put a day old backup back.
18. Re:It would be funny, except ... by Anonymous Coward · 2017-06-28 01:12 · Score: 0
  
  dating yourself there
restraint of trade by Anonymous Coward · 2017-06-27 08:57 · Score: 0

lawsuits will be forthcoming
haven't heard from even one real person yet by Anonymous Coward · 2017-06-27 08:58 · Score: 0

about having to ransom their gizmos? another madison ave. smoke & mirrors debacle? cease fire stand down applies.. sing along.. https://www.youtube.com/watch?v=3TrSMaOZm3Y
1. Re: haven't heard from even one real person yet by Anonymous Coward · 2017-06-27 09:20 · Score: 0
  
  I have. A business that I once did freelance for and declined to work for again in the future after seeing their CF of code.
Clue me in about this malware please by Spy+Handler · 2017-06-27 08:58 · Score: 1

What systems are affected? Windows and...? What is the attack vector, do you have to click on a suspicious link or is it like Wannacry where you don't have to do anything to get infected, just have a machine connected to the internet?
I did scanned TFA briefly but is skimpy on details.
1. Re:Clue me in about this malware please by F.Ultra · 2017-06-27 09:24 · Score: 1
  
  It uses the exact same exploit as WannaCry so you don't have to do anything besides not having a patched version of Windows.
2. Re:Clue me in about this malware please by bjdevil66 · 2017-06-27 10:13 · Score: 1
  
  So far, patches have beaten the latest, big ransomware out to end users. Eventually, however, a solution will beat the patch out the door - causing problems on a scale that will dwarf everything before it. It could bring the worldwide internet to its knees as people stop connecting at all because of FUD.
  When that day finally comes, it'll be best to have backups made of your important data in an external hard drive that's disconnected from everything and sitting somewhere safe - only to be connected and updated on occasion.
Ransomware solutions by Anonymous Coward · 2017-06-27 09:07 · Score: 0

There will always be people who pay the ransom. Just like saying "do not feed the trolls" for decades hasn't stopped people from trolling and getting bites, you won't stop ransomware that way. But there are some better ideas:
1) The NSA needs to be held accountable for hoarding vulnerabilities. The American people need to demand this, and perhaps massive ransomware infections will make it evident that these organizations prioritize their hacking ability ahead of real security.
2) This is a business opportunity for cloud-based or offline backup systems. There's a lot of money to be made of more people and businesses start making backups.
3) There could be OS-level protections that would make it harder for ransomware to operate. I'm thinking something along the lines of keeping shadow copies of files around that have been overwritten, and can't be deleted without direct user confirmation. Basically, you can encrypt a copy of the file, but there's a shadow copy residing on the disk that the OS prevents from being encrypted or deleted without direct authorization from the user. When that shadow storage space fills up, the user is promotes to clear it or the disk is treated as full and writes to files are prevented until there's space in the shadow storage area.
1. Re:Ransomware solutions by Bert64 · 2017-06-27 17:24 · Score: 1
  
  1, if the NSA don't hoard vulnerabilities, then vulnerabilities will still be hoarded by foreign intelligence agencies and criminals. The NSA will be at a disadvantage and the world will be no better off.
  3, how would you implement "direct user intervention" as a requirement? unless enforced at the hardware level, ransomware would just need to execute the same instructions that the user-driven deletion confirmation does. Also a lot of software creates and destroys temporary files during its normal operation, saved copies of all these temporary files would rapidly accumulate and regularly require the user to manually confirm their removal.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
2. Re:Ransomware solutions by Anonymous Coward · 2017-06-28 00:49 · Score: 0
  
  3) It's a little more cumbersome, but maybe a process that copies important files to another system where they can't be deleted by ransomware. If attacked, the files can be restored, using this alternate storage.
hackers hackers hackers by Anonymous Coward · 2017-06-27 09:08 · Score: 0

Entirely hacks possible hacks to hacks write hacks this hacks without hacks invoking hacks the hacks cyber hacks bogeymen hacks of hacks teh hacks intarwebz.
So hacking pick hacking your hacking sources, hacking you hacking lazy hacking failures hacking of hacking editors.
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:14 · Score: 1

Fairly certain extortion is illegal in Germany too, so once the email provider was made aware of the criminal acts occurring on their system, they have to shut it down, lest they be considered accomplices (witting or otherwise) in the criminal endeavor.
That you didn't realize this is no surprise to me, as your random capitalization of words and parroting of political talking points already outed you as a fucking moron who was likely unable to think critically.
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:16 · Score: 2, Insightful

It's a private company. They set the terms of service and decide who can and can not use their products/services and for what purposes. I wouldn't be surprised if there was clause in the TOS stating that the service can be terminated for any reason and without notice.
Re:Blocking e-mal? by gweihir · 2017-06-27 09:21 · Score: 1

I don't think so. Deleting email may be illegal, but if they keep all the mail and offer the account-owner a chance to get it by identifying himself, this is legally quite above board. It is also very likely that the account owner is violating the TOS of Posteo.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re: Blocking e-mal? by Anonymous Coward · 2017-06-27 09:23 · Score: 0

Because if they did, they would have to also cover the original source, which is the N$A. If the U.S. starts to get flack for creating this kind of software, then an actual investigation will have to be made. That puts a security risk because the investigators would be someone outside of the agency, to which is not going to have better security. It will leak. Then, the other four of the Five Eyes may be forced to be investigated as well. I don't think the people in the UK and EU realize how badly they are being spied on 24/7; it's become normal to them.
Re: Blocking e-mal? by Anonymous Coward · 2017-06-27 09:24 · Score: 0

Or more reasonably terminated for criminal activity.
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:27 · Score: 0

What LAW would That be?
All car has always a backdoor, the 3rd or 5th door by Anonymous Coward · 2017-06-27 09:27 · Score: 0

These hidden cybercriminals should be catch and sent to jail.
Make DDoS to Bitcoin's servers.
Make DDoS to Tor's servers.
Ooops, your important email are disabled by Anonymous Coward · 2017-06-27 09:27 · Score: 0

If you see this text, then your emails are no longer accessible, because you are a piece of $h1t.
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:27 · Score: 0

Now we have a way to disable ANYONE's Posteo account: send a few emails saying "here's the proof I paid my ransom, please unlock my files!!", then tell Posteo that x's email is being used to receive ransomware confirmations. Their anti-abuse team will read the poor guy's email, see the ransom mail, and block the account straight away.
Honeypot ransomware by cowwoc2001 · 2017-06-27 09:32 · Score: 4, Interesting

Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?
1. Re:Honeypot ransomware by mark-t · 2017-06-27 10:00 · Score: 1
  
  One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not. So what's the point of him being there? Better than nothing? I guess.. but probably only a lot more likely to just create a false sense of security.
  A healthy backup policy is the only real workable solution... and considering it is even automatable, I can't say I understand the resistance to practicing it.
  Although I've not been hit by ransomware, having an automated backup policy in place on my system has still saved my data on more than one occasion, whether it was due to disk drive failure or because of human error.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:Honeypot ransomware by Mal-2 · 2017-06-27 10:06 · Score: 2
  
  Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.
  
  --
  How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
3. Re:Honeypot ransomware by swb · 2017-06-27 10:27 · Score: 2
  
  Wasn't that what Tripwire was all about?
4. Re:Honeypot ransomware by CaptainDork · 2017-06-27 11:09 · Score: 1
  
  Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?
  
  --
  It little behooves the best of us to comment on the rest of us.
5. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 11:09 · Score: 3, Interesting
  
  One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not. So what's the point of him being there? Better than nothing? I guess.. but probably only a lot more likely to just create a false sense of security.
  A healthy backup policy is the only real workable solution... and considering it is even automatable, I can't say I understand the resistance to practicing it.
  Although I've not been hit by ransomware, having an automated backup policy in place on my system has still saved my data on more than one occasion, whether it was due to disk drive failure or because of human error.
  well this first generation of ransomware relies on crypto libraries currently in the system, you can hook and tell the OS to snapshoot the processs memory and posibly be able to get the prime numbers used to generate the keys that, while the attack is going on, are in memory, like the Quarkslab solution for XP systems works.
6. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 11:35 · Score: 0
  
  Because this specific one does it's job at (re)boot, presumably before any antivirus is running.
  Also I do rememeber getting notifications about a modified HOSTS file
7. Re:Honeypot ransomware by Hentes · 2017-06-27 11:39 · Score: 2
  
  As far as I know this specific virus only encrypts the MFT.
8. Re: Honeypot ransomware by Anonymous Coward · 2017-06-27 12:24 · Score: 0
  
  As soon as you write that function, you can sell it to the AV vendors.
9. Re:Honeypot ransomware by cowwoc2001 · 2017-06-27 12:57 · Score: 1
  
  Clever!
10. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 15:42 · Score: 0
  
  Because "malicious" isn't something a computer can decide. It's a very fast, very autonomous pocket calculator with peripherals that abstract those calculations into all sorts of interesting outputs. Your pocket calculator can't figure out when you hit "+" but meant "-". Neither can a computer determine what is and is not "malicious" just by simply looking at it without any human input. The earliest forms of "AI" and "training" were the heuristics files for anti-virus programs, and those were created by humans, who did research and figured out the patterns and signatures to watch out for. And we all know how effective those have been. (If you haven't been keeping score: "not very".)
11. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 15:57 · Score: 0
  
  Yes. Unfortunately on Windows, where everyone has to be admin to accomplish anything, you can't trust that such a system will report things properly. A malware author could simply hook tripwire.dll (or whatever) and inject their own hash comparison function that always returns true.
12. Re:Honeypot ransomware by n3r0.m4dski11z · 2017-06-27 16:12 · Score: 1
  
  Sophos supposedly has technology (intercept X) that can heuristically determine when an encryption event is going down and should automatically block it. It works by looking for files being rapidly encrypted and immediately stops it and i believe tries to roll back the changes so that less than 1% is actually encrypted.
  For us, the virus scanner has caught a few ransomware viruses before they made it that far, so we have yet to test that. But its a well advertised feature of their product line.
  https://www.sophos.com/en-us/p...
  It requires its own license, and I think its selling like hotcakes these days.
  
  --
  -
13. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 17:16 · Score: 0
  
  Why isn't modifying the MBR flagged as something which requires Admin permission?
14. Re:Honeypot ransomware by Bert64 · 2017-06-27 17:26 · Score: 1
  
  That's for OS files like executables, which should never change except during patching cycles.
  User files are expected to change, and users would become annoyed at the extra dialogs every time they saved (or autosaved) their work.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
15. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 20:29 · Score: 0
  
  Computers cannot judge intent. They cannot even in general judge what a program does without having it do it (see The Halting Problem).
  Also, it would be slow. Computers are slow enough already.
  What they can do and what some Linux distros and Solaris and MacOS do is provide a disk snapshotting feature at the OS level where you can just return to the previous snapshot (where the files weren't encrypted) if something like that happens.
16. Re:Honeypot ransomware by Anonymous Coward · 2017-06-27 23:04 · Score: 0
  
  It's called the Halting Problem.
17. Re:Honeypot ransomware by fgouget · 2017-06-27 23:06 · Score: 1
  
  Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?
  Two words: Halting problem.
18. Re:Honeypot ransomware by wvmarle · 2017-06-28 00:15 · Score: 1
  
  So now you want to have your OS to be checking files continuously? Or how is it supposed to detect such crypto attacks? Many important files - like documents - are supposed to change on a regular basis anyway...
19. Re:Honeypot ransomware by Mal-2 · 2017-06-28 19:11 · Score: 1
  
  Document files, and just about anything else with an internal header section, could be quickly checked simply to see if they are valid files. No matter how much you change a document, it should remain valid. If it doesn't, you probably want to know about it regardless of whether the cause is ransomware or simple file system errors. Now if ransomware evolves to scramble document contents without breaking the container, then this will stop working -- but we're not there right now.
  As for checking files continuously, it doesn't have to be done at a high rate. Checking files only when the machine is idle will help too. Even when there's someone at the console, there are plenty of times the computer is sitting around waiting for a response to something, and it could be checking the validity of files. If it starts seeing changes, it should increase the priority of the checking process until it can determine with reasonable confidence whether the changes are legitimate or malicious.
  
  --
  How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Code.org needs to provide adult-ed CS training by Anonymous Coward · 2017-06-27 09:36 · Score: 0

Maybe instead of pumping all that money into trying to get little nippers to think CS is da bomb, they could funnel those funds into adult-ed style courses that cover things like:
How to setup your computer so you're not running as a privileged user.
How to backup your important user files in case of a catastrophe.
How to avoid falling victim to phishing/ransomware scams.
(with a focus on safer e-mail and browsing behaviors)
These kind of courses probably wouldn't cost as much, wouldn't take as long, and would be more beneficial to a wider audience in the long run.
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:43 · Score: 0

Privacy is constitutionally protected. It's illegal for their anti-abuse team to "check" someone's account, no matter how well-intended they might be. The starting point of any action must a police investigation, the issue of a warrant, and inspection of the account by an officer. During this process the company's anti-abuse team never gets to see anything.
lulzofuckingroffly by Anonymous Coward · 2017-06-27 09:47 · Score: 0

The irony. Its delicious.
Alternative solution. by fahrbot-bot · 2017-06-27 09:52 · Score: 1

Maybe the guy can publish his postal address, so people can mail their info to him.

--
It must have been something you assimilated. . . .
Re:Blocking e-mal? by amicusNYCL · 2017-06-27 09:54 · Score: 2

You're thinking that Germany passed a law saying that email providers are required to always provide users with free access to their account, even if that email account is used as part of a crime? For example, trading child pornography, trading copyrighted content, facilitating money laundering or extortion, etc? Why would any country pass a law like that? I can't think of a single country which WOULD have a law like that.
But, don't let simple rational logic stop you from contacting the real "News Media" and asking them to investigate Germany over this. The world still needs humor.

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:Blocking e-mal? by Anonymous Coward · 2017-06-27 09:56 · Score: 0

What German constitutional statute?
Re:Blocking e-mal? by amicusNYCL · 2017-06-27 09:59 · Score: 1

Privacy is constitutionally protected.
What, you mean in the United States, by the United States Constitution, which wouldn't apply to Germany anyway? Are you talking about the fourth amendment? Because, and I'm not a lawyer or anything, but I bet that if a ransomware campaign publishes an email address to use to send extortion payment info, I'm pretty sure that investigation of that email account would not be classified as "unreasonable search". That search sounds pretty reasonable to me. In fact, deciding to deactivate access to this account just because the address appeared in the actual malware doesn't even require that they look at the emails in the account. They can just disable access to it, they don't even have to delete any of the emails or reject new emails in order to do that, they can just turn off the ability to check emails on the account.
But, let's face it. The fourth amendment has been eating shit for the past 16 years, with no end in sight. Disabling an email account that is used in an extortion campaign is the least of our worries at this point, not even mentioning the fact that the US Constitution has nothing to do with this story.

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Re:The Nuclear Option * 100% agree by charliemerritt03 · 2017-06-27 10:00 · Score: 1

Hard on the victims that paid. Perhaps the word should be out that criminals won't necessarily give you anything for your bit coins. About time someone had nerves. Thanx.
Rudyard Kipling by Stormy+Dragon · 2017-06-27 10:16 · Score: 5, Informative

It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
Ransomware by Anonymous Coward · 2017-06-27 11:51 · Score: 0

People who develop ransomware are candidates for pubic execution. And it should be made illegal to pay their ransom.
Re:Blocking e-mal? by viperidaenz · 2017-06-27 11:54 · Score: 1

Maybe they're referring to The Basic Law for the Federal Republic of Germany
They probably have no idea what is in that law, but you know, 'Merica
Why Assume The Hacker Will Do Anything Once Paid by Anonymous Coward · 2017-06-27 12:00 · Score: 0

These crypto-bandits don't need to provide anything once paid.... think about it.. they don't need the email address.
Re:Blocking e-mal? by Sique · 2017-06-27 18:58 · Score: 1

It's called "dignity of Man", and it is part of the preamble of the German constitution. From there, the so called "Census decision" of 1983 derived the right to informational self-determination.

--
.sig: Sique *sigh*
Wow by Anonymous Coward · 2017-06-27 21:19 · Score: 0

Wow. You have a serious psychological problem. Your data hoarding is just a scratch of the surface. 9 storage units and a house? You need psychological help, and maybe medication.
1. Re:Wow by Miamicanes · 2017-06-28 05:57 · Score: 1
  
  I didn't say *I* had 9 storage units and a house. It was an analogy.
  The metaphorical "storage units" are my USB 2.0 hard drives, and the tarballs ON those drives are kind of like "storage units in another city that can only be visited once in a while, for a limited amount of time". They're so slow (relative to the sheer number of files on them), and some of their contained archive files are so huge (one has more than a hundred sliced tarballs, each of which has about 2GB worth of files and a current size averaging about 1.2gb) that it would take literally DAYS to extract them from the USB drive to my laptop's second hard drive. Assuming tar didn't crap out along the way, and Windows didn't find reasons to prevent it from writing the restored files to the target drive.
  The metaphorical "house piled floor to ceiling" is my HTPC (running Windows 7 pro and Windows Media Center), which does double-duty as my "lan file server". It has about 7TB spread across 9 hard drives... ~1tb is used by WMC to record TV shows and for windows itself, about 2tb is older TV shows I moved from the main record drive when it got full, and the remaining 4TB is an agglomeration of all my old hard drives (250gb or larger) into a big JBOD RAID array.
  The metaphorical "neat condo" is my laptop. Both of its drives (1tb mSATA SSD, 2tb 2.5") are about half full... mostly, thanks to the 2tb drive I added last summer (which allowed me to offload half the stuff from my previously-jam-packed SSD).
  The best solution I've found so far is using Windows 7 backup (hidden in Windows 10, but there if you know where to look for it) to create .vhd images, because those .vhd images can later be mounted as virtual hard drives. This is significant, because it allows data files from the previous installation of Windows that are usable directly (.jpeg files, documents, etc) to be literally MOVED from the .vhd drive to the new drive, leaving a much smaller subset of old files to store in perpetuity after the restoration.
  But that does no good for the terabytes of old backups from 2010 and earlier... especially the clusterfuck caused by my OCZ SSD and Velociraptor... the Velociraptor (my "bulk data" drive at the time) died without warning in June, and my OCZ SSD had been committing data-suicide every 4-7 weeks since I got it the previous Black Friday. I was in the middle of recovering from a SSD-corruption when the 'raptor died, and ended up in TOTAL panic because at that point, I had some unknown subset of data that I had literally one remaining copy of. In the aftermath of that incident, my data duplication problem exploded... I was so afraid of losing my only remaining copy, I bought drive after drive to make additional copies (the fact that my SSD kept crapping out every few weeks just made matters worse). And because the SSD kept dying before I even finished recovering from the PREVIOUS incident (I finally threw in the towel, swore off SSDs temporarily, got a hybrid SSHD in October, and never used that total-piece-of-shit OCZ SSD again), the number of redundant copies exploded. Hard drive space increased exponentially and got cheaper, but the ACCESS & TRANSFER TIME didn't keep up with the amount of data, so I rapidly got into a position where I knew 90% of the files were redundant, but had SO MANY it was impossible to actually sift through them in any reasonable amount of time.
How does this punish the hacker? by Anonymous Coward · 2017-06-27 23:04 · Score: 0

The hacker is still getting his money, the people have already paid, and not receiving emails at this address does not prevent him from accessing his money.
The poor sods who's data has been encrypted on the other hand, now cannot get their keys, despite the fact that they have already paid.
Fake Ransomware by The+Raven · 2017-06-28 01:52 · Score: 2

This is probably not a real ransomware attempt. It's either a test that got released into the wild, or it's a simple malicious virus that was released and is masquerading as ransomware. Because it was initially released via a Ukrainian government website that businesses there need to use, it seems possible that this is another attack on Ukraine by the Russian government.
Most ransomware infections use a different wallet code for each victim; this one has just one. Most ransomware also takes communication via TOR so it can't be blocked; this one used a public email. The dichotomy between the competence of the infection and the incompetence of the ransomware portion is what gives the impression that this is not really ransomware.

--
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Rubbish by Anonymous Coward · 2017-06-28 02:06 · Score: 0

Rubbish, Once the "theoretical good version of an NSA" disclosed the vulnerabilities, they would be patched and useless to everyone.
This seems counter-intuitive by Anonymous Coward · 2017-06-28 04:28 · Score: 0

Why not alert the authorities and allow the hackers to use the email. They have to login and read the emails send to that address after all. And yes, I know, tor etc etc redirects, bouncing across 20 different networks etc etc. But surely the authorities can track this shit?
People need to patch their software
Software companies need to provide fixes and better test to eliminate these security problems before they get into the wild
AND governments need to tell the software companies about vulnerabilities that they have found and STOP using those vulnerabilities to make hacking software
This war needs to stop, or it will end very badly.
This is why we can't have nice things