Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid

Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.

The Nuclear Option

[trg83]

While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

Re:The Nuclear Option

You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.

Re:The Nuclear Option

Fuck the lives of the arseholes who are encouraging and funding ransomware infections. The only true victims are the ones that don't pay. The ones that do pay are helping create more victims. This isn't a nuclear option, none of the innocent victims are hurt by this. In fact, because of this, the damage the arseholes cause will be mitigated, and the only people who suffer from this, are the arseholes.

Re:The Nuclear Option

Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".

Re: The Nuclear Option

[Rockoon]

The NSA is working against the American people in many cases

..and against the world in the rest of the cases.

Re:The Nuclear Option

[gweihir]

I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.

Re:The Nuclear Option

[barc0001]

> You really think malware creators won't be able to find any email providers that are friendly to their cause?

Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.

Re:The Nuclear Option

[EvilSS]

Yes, they still got paid. And the victims that paid money and still lost all their files are the worst off of all. However when word gets around about what happened and it becomes common knowledge that people who pay ransomware still don't get their files back, people will know to stop paying. Of course there will be a few who pay up in the vain hope that it would work, but if the majority of people know that it's just throwing good money after bad, then the business model of these ransomware writers will fall over. (fingers crossed).

You mean like how word got out about ransomware being a thing and therefore everyone now makes sure they have solid offsite backup schemes in place now?

Re: The Nuclear Option

[bestweasel]

"eliminate the incentives for ransomware creators"

This assumes that the ransom is their main incentive.

Re:The Nuclear Option

[Northdot]

How would the victim get the decryption key? Just curious.. I'm sure there is a way, but it doesn't seem obvious.

Re: The Nuclear Option

[guruevi]

You could ask to pay 1.xxx BTC and then refund them 0.1xxxx or whatever arbitrary value you like.

Re: The Nuclear Option

[Miamicanes]

The catch is, then you're either stuck paying monthly fees for several terabytes of cloud storage in perpetuity (and dealing with a multi-day, multi-terabyte upload for that first backup that effectively makes the computer and your internet connectivity unusable until it completes), or have to use local storage that itself is vulnerable to ransomware.

Yes, I'll admit it. I'm a data-hoarder (my laptop ALONE has a 1TB SSD and a 2TB hard drive, with an additional 6 1-3TB (mostly full) hard drives in the closet)... and I'm now metaphorically in the same position as a crazy cat lady with 9 storage units, a house that's packed floor-to-ceiling, and a neat, tidy condo that's kept neurotically decluttered (because everything that WOULD clutter it goes into one of the storage units or uninhabitable house for storage in perpetuity).

We're talking about SO MANY FILES, just doing something like "dir/s g:" on one of the older USB2.0 drives can take almost a day to finish running. And 2 of THOSE drives basically contain the entire contents of a MOUNTAIN of even older 20-500GB hard drives (at USB 1.1 speeds, just COPYING them to the new drives ended up soaking up most of my free time for about 3 weeks).

Every time I try to deduplicate and clean up the files, I end up making things even worse:

1. Make complete backup onto new hard drive big enough to hold all the existing files. Usually, with compression, since it's the only way to keep the backup down to a manageable size.

2. Start cleaning out the original files.

3. Something goes badly wrong.

4. Now, I have a complete backup that can't be directly compared to the remaining files (because it's compressed and/or in some proprietary format) that can't ever get rid of (because of the unknown files corrupted in step 3 that are safely backed up, even if I don't know which files they are), AND I have almost as many original files as I started with. So the next time I try doing this, I'll have twice as many files to deal with.

It's the zipfiles of image backups in tarballs of tarballs from past attempts that cripple me the worst... too many to scrutinize by hand, but ALSO too many to risk losing forever by doing any kind of in-place automated action when something will inevitably go wrong.

Re:The Nuclear Option

[Dunbal]

Prayer. And it will be just as effective as any other prayer. Why the hell should I give you anything back? You think I'm worried about my "business image" and brand? Honor among thieves? This generation is so naive.

Re:The Nuclear Option

[FeelGood314]

The malware creator will obviously be honorable because he has to prove that he will unlock the files of the other people who pay. The malware creator actual has more concern about his business image than most companies you deal with.

Just because YOUR generation has no respect for integrity doesn't mean it isn't valuable.

Re:The Nuclear Option

[Gavagai80]

they'd post all over facebook about how they got ripped off and thus ending the problem once and for all.

Are most people really going to tell everyone that they paid off a criminal organization? No, they're going to be ashamed of that (and perhaps worried that it's illegal) and pretend that part didn't happen.

Re:The Nuclear Option

[Dunbal]

The more contact you have with your victim the more chances you have of being caught by law enforcement, silly. If I was a criminal I'd take a quick couple thousand bucks worth of bitcoin and disappear without a trace over trying to "score big" and having them catch me via my email correspondence sending out "keys". Hundreds of thousands/millions of dollars are no consolation when your ass is thrown in jail forever and all your assets seized before you can ever enjoy them.

Re: The Nuclear Option

[behrooz0az]

I really want to downvote this comment chain "Idiot -1" Why not just give them back a private pastebin ID with the key in it?

What was Posteo supposed to do?

[Rosco+P.+Coltrane]

Let the scammer's email addy active and be accused of being accessory to racketeering?

Tough shit for the ransomware victims, but they just had to do it.

Re:What was Posteo supposed to do?

Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.

Re:What was Posteo supposed to do?

[fred6666]

maybe they already have that information? What more could they learn by leaving the account active for longer?

Good.

Stop paying fucking ransoms you fucks.

It would be funny, except ...

[El+Cubano]

It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security.

Re:It would be funny, except ...

[Zocalo]

Nope, that's the best part. Not only are the victims going to get schooled on the importance of good backups and security, but they are also going to get schooled on the importance of *not giving in to blackmail*. I'm hoping that the media will be full of stories of people who paid up and still didn't get their files back - sucks to be them, but it could well make subsequent attempts at ransomware not worth the risk for such a pitiful reward. How much did WannaCry yield in the end? A few $100k (assuming they even managed to claim it all)? It isn't going to take much of a change in victim mindset to make even the relatively tiny cost and effort of launching a ransomware campaign not worth the risk of getting caught.

Re:It would be funny, except ...

[El+Cubano]

So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.

Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).

However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities deserve to suffer the full weight of the law in any and every jurisdiction that can get a hold of them, if not more.

My reference to The Six Dumbest Ideas in Computer Security was an acknowledgment that educating users (like how to not get hit by phishing attacks in the first place) is an extreme uphill battle which is oftentimes lost. Just look at the frequency and extent of these sorts of attacks.

Re:Well shit...

[Megane]

Or they could ask their victims to make random posts on /. and have the codes look like the Baynesian spammer with stuff like "goat.cx" and "frist post" in certain combinations. Then nobody will ever know what they're doing.

Re:Blocking e-mal?

It's a private company. They set the terms of service and decide who can and can not use their products/services and for what purposes. I wouldn't be surprised if there was clause in the TOS stating that the service can be terminated for any reason and without notice.

Re: Disturbing

[david_thornley]

Windows would be a lot less popular if we just banned glass and other transparent materials.

Honeypot ransomware

[cowwoc2001]

Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?

Re:Honeypot ransomware

[Mal-2]

Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.

Re:Honeypot ransomware

[swb]

Wasn't that what Tripwire was all about?

Re:Honeypot ransomware

One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not. So what's the point of him being there? Better than nothing? I guess.. but probably only a lot more likely to just create a false sense of security.

A healthy backup policy is the only real workable solution... and considering it is even automatable, I can't say I understand the resistance to practicing it.

Although I've not been hit by ransomware, having an automated backup policy in place on my system has still saved my data on more than one occasion, whether it was due to disk drive failure or because of human error.

well this first generation of ransomware relies on crypto libraries currently in the system, you can hook and tell the OS to snapshoot the processs memory and posibly be able to get the prime numbers used to generate the keys that, while the attack is going on, are in memory, like the Quarkslab solution for XP systems works.

Re:Honeypot ransomware

[Hentes]

As far as I know this specific virus only encrypts the MFT.

Re:Blocking e-mal?

[amicusNYCL]

You're thinking that Germany passed a law saying that email providers are required to always provide users with free access to their account, even if that email account is used as part of a crime? For example, trading child pornography, trading copyrighted content, facilitating money laundering or extortion, etc? Why would any country pass a law like that? I can't think of a single country which WOULD have a law like that.

But, don't let simple rational logic stop you from contacting the real "News Media" and asking them to investigate Germany over this. The world still needs humor.

Rudyard Kipling

[Stormy+Dragon]

It is always a temptation to an armed and agile nation
    To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
    Unless you pay us cash to go away."

And that is called asking for Dane-geld,
    And the people who ask it explain
That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

It is always a temptation for a rich and lazy nation,
    To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
    We will therefore pay you cash to go away."

And that is called paying the Dane-geld;
    But we've proved it again and again,
That if once you have paid him the Dane-geld
    You never get rid of the Dane.

It is wrong to put temptation in the path of any nation,
    For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
    You will find it better policy to say: --

"We never pay any-one Dane-geld,
    No matter how trifling the cost;
For the end of that game is oppression and shame,
    And the nation that pays it is lost!"

Re:Disturbing

From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."

That statement by itself is disturbing enough as it is.

Why is it disturbing? Do they expect the radiation levels around Chernobyl to go up?!

Fake Ransomware

[The+Raven]

This is probably not a real ransomware attempt. It's either a test that got released into the wild, or it's a simple malicious virus that was released and is masquerading as ransomware. Because it was initially released via a Ukrainian government website that businesses there need to use, it seems possible that this is another attack on Ukraine by the Russian government.

Most ransomware infections use a different wallet code for each victim; this one has just one. Most ransomware also takes communication via TOR so it can't be blocked; this one used a public email. The dichotomy between the competence of the infection and the incompetence of the ransomware portion is what gives the impression that this is not really ransomware.