Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy The Internet

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com) 182

Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.
This discussion has been archived. No new comments can be posted.

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid

Comments Filter:
  • The Nuclear Option (Score:5, Interesting)

    by trg83 ( 555416 ) on Tuesday June 27, 2017 @03:45PM (#54700675)
    While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.

      • by Anonymous Coward on Tuesday June 27, 2017 @04:06PM (#54700839)

        Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".

        • How would the victim get the decryption key? Just curious.. I'm sure there is a way, but it doesn't seem obvious.

          • You could ask to pay 1.xxx BTC and then refund them 0.1xxxx or whatever arbitrary value you like.

            • That would be awesome, since the smallest BTC is 0.00000001, that only leaves 10 million possible decryption keys. Any one could brute force a 24bit key in minutes.

              • by guruevi ( 827432 )

                Then make it a series of transactions, you could even encode a checksum if you'd like.

                • So the victim is expected to make 10+ transactions of an exact amount in the specific order and hope the criminal responds by giving them back some money over 10+ transactions? The criminal would make more money if they didn't follow through with it.

                  Giving back even a 256 bit encryption key would require 78 digits of data. To do that in 10 transactions would cost on average 5BTC (all 8 decimal places filled with data, averaging 0.50000000 BTC each)
                  Over 20 transactions with 4 digits of data is 0.00005 * 20 =

              • by Dr. Evil ( 3501 )

                That's why you use Dogecoins instead. Then you get both sides of the decimal point.

          • Re: (Score:3, Insightful)

            by Dunbal ( 464142 ) *
            Prayer. And it will be just as effective as any other prayer. Why the hell should I give you anything back? You think I'm worried about my "business image" and brand? Honor among thieves? This generation is so naive.
            • Re: (Score:3, Informative)

              The malware creator will obviously be honorable because he has to prove that he will unlock the files of the other people who pay. The malware creator actual has more concern about his business image than most companies you deal with.

              Just because YOUR generation has no respect for integrity doesn't mean it isn't valuable.
              • by Dunbal ( 464142 ) *
                In your little fantasy world perhaps. In reality, ZERO files were unlocked by WannaCry authors, and ZERO files have been unlocked by Petya authors so far.
                • by Bert64 ( 520050 )

                  But we don't know how the petya authors would respond upon receiving a ransom payment.. Maybe they would unlock the files but we won't be able to find out now.

                  It's actually in their interest to unlock files upon receipt of the ransom, as that will increase the chances of any future victims paying too. If files never get unlocked then users won't even consider payment.

                  • by Dunbal ( 464142 ) * on Tuesday June 27, 2017 @10:49PM (#54702627)
                    The more contact you have with your victim the more chances you have of being caught by law enforcement, silly. If I was a criminal I'd take a quick couple thousand bucks worth of bitcoin and disappear without a trace over trying to "score big" and having them catch me via my email correspondence sending out "keys". Hundreds of thousands/millions of dollars are no consolation when your ass is thrown in jail forever and all your assets seized before you can ever enjoy them.
                    • by AmiMoJo ( 196126 )

                      The risk/reward ratio is terrible. Unlike simpler ransomware that mostly affected home users and small businesses, this NSA powered variant is hitting hospitals, infrastructure, big businesses and governments. No matter how much money you make, it probably won't be of much use to you. You will need to launder it before you can use it, and you have law enforcement coming after you, the NSA probably wants their exploit back and is looking for you too...

                      You will end up either hiding and not being able to enjoy

                    • They're also hitting Russian infrastructure with this one. Speaking of the nuclear option, how about a sprinkle of polonium 210?

      • by barc0001 ( 173002 ) on Tuesday June 27, 2017 @04:25PM (#54700981)

        > You really think malware creators won't be able to find any email providers that are friendly to their cause?

        Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.

      • by Rei ( 128717 )

        Of course they can find a different email provider. But the version that's gone out and infected people - victims who presumably won't be infected twice - has used this email address, which is no longer valid.

        What I find interesting about this article is that they're using a commercial email service with a known account. While Posteo doesn't collect or store IP addresses, I would think that they could be subpoenaed to return future IP information for future attempts to log into the account. Also, if the acc

      • You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.

        or just non-email options. I mean it might be necessary every barrier makes it harder to do but easy enough to setup a masked chat service somewhere.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Fuck the lives of the arseholes who are encouraging and funding ransomware infections. The only true victims are the ones that don't pay. The ones that do pay are helping create more victims. This isn't a nuclear option, none of the innocent victims are hurt by this. In fact, because of this, the damage the arseholes cause will be mitigated, and the only people who suffer from this, are the arseholes.
    • by gweihir ( 88907 ) on Tuesday June 27, 2017 @04:18PM (#54700919)

      I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.

      • by AmiMoJo ( 196126 )

        I wonder if it creates legal liability for them though... Maybe somehow who knows more about German law can comment, but in other places it might be possible to argue that some of the losses resulting from the ransomware were due to losing the ability to pay it.

    • by EvilSS ( 557649 )

      While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

      But they still get paid. It will take time for people to find out they can't get their files back even if they pay. Many people will never know. You want nuclear option, find a way to seize their bitcoin wallets or block transactions to it.

      • by tlhIngan ( 30335 )

        It will take time for people to find out they can't get their files back even if they pay.

        That's the reason.

        Think about it for a second. Ransomware only works when the malware developers are honest. In fact, many will walk you through the process of getting bitcoins and how to fix your computer, because they know it takes just one f**k-up to hose the entire business model.

        All the user has is trust. Trust in that if they do these things, they'll get their data back. Once that trust is violated, it's game o

        • they'd post all over facebook about how they got ripped off and thus ending the problem once and for all.

          Are most people really going to tell everyone that they paid off a criminal organization? No, they're going to be ashamed of that (and perhaps worried that it's illegal) and pretend that part didn't happen.

    • this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option

      It's a nuclear option against a metaphorical cockroach. Blocking an email service will do nothing to stop people who are able to program malware like this. Any idiot can set up an email server. A slightly clever idiot can do so properly. These guys will not be stopped by the inability to use someone else's email service.

    • the fallout is likely to hurt many unintended targets,

      Yes, exclusively

      but it could end the war.

      It won't.

    • While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

      WTF does the asshat at the other end of the malware care if the email account works or not? Most aren't going to find out that it's a dead email address until they've already paid. So asshat already has the money, what do they care about your files?

    • by bestweasel ( 773758 ) on Tuesday June 27, 2017 @04:58PM (#54701247)

      "eliminate the incentives for ransomware creators"

      This assumes that the ransom is their main incentive.

      • It's the only incentive for ransomware. If a malware author/distributor is motivated by other things, they write/distribute other kinds of malware.

        • by Bert64 ( 520050 )

          They might be motivated solely by a desire to cause chaos and destruction, and reusing existing ransomware code was easier than writing new code for wiping data. Or perhaps they derive a perverse pleasure not only from destroying people's data, but also from giving them false hope that it could ever be recovered.
          There was at least one ransomware family i read about which encrypted the data using a random key, and then completely discarded the key making the data unrecoverable.

          There are plenty of evil and/or

    • by Bert64 ( 520050 )

      All it does is further punish those who want to retrieve their files (assuming the ransomware creator would actually honor the payment, of which there is no guarantee)...

      Future malware creators will just use a different email provider or some other method of communication, they won't be deterred from their activities in the slightest.

      • Anything that increases doubt in a victim's mind that a ransom would be successful decreases the expected value of a ransomware creator's haul, thus diminishing their incentive. It's not that the malware can't move to another domain or morph to use a strategy--my point is only that the ransomware business is based on the perception they will deliver what they offer, and any chink in that confidence is a net win.
  • Looks like hackers need to use email servers from companies that don't give a shit, or make their own.
    • by Megane ( 129182 )
      Or they could ask their victims to make random posts on /. and have the codes look like the Baynesian spammer with stuff like "goat.cx" and "frist post" in certain combinations. Then nobody will ever know what they're doing.
    • If the criminal ever tries to call support to unlock his account, I'm sure the authorities would track down the call and find his location. But he doesn't ever need to log into his email ever again. If he controls an upstream system, he could just inspect the traffic. Email is sent in clear text.
  • by Rosco P. Coltrane ( 209368 ) on Tuesday June 27, 2017 @03:50PM (#54700715)

    Let the scammer's email addy active and be accused of being accessory to racketeering?

    Tough shit for the ransomware victims, but they just had to do it.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.

  • by Anonymous Coward

    Stop paying fucking ransoms you fucks.

  • by El Cubano ( 631386 ) on Tuesday June 27, 2017 @03:54PM (#54700745)

    It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].

    • by DRJlaw ( 946416 )

      It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].

      So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so

      • So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.

        Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).

        However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities des

        • by DRJlaw ( 946416 )

          My reference to The Six Dumbest Ideas in Computer Security was an acknowledgment that educating users (like how to not get hit by phishing attacks in the first place) is an extreme uphill battle which is oftentimes lost. Just look at the frequency and extent of these sorts of attacks.

          I read the initial post as a "educating the non-customers by cutting off the proof-of-ransom communication channel was a dumb idea" criticism.

          My apologies.

      • Yes, but the customer is going to continue to extort them anyway, with or without your help: the malware isn't going to magically disable itself just because the email address is defunct. Now they're just going to send their Bitcoin payments and not get anything in return, and the malware author will receive all these nice Bitcoin payments but not be able to decrypt anyone's files, so it's actually less work for him. Of course, one might argue that when word spreads about the email address being suspended

        • by DRJlaw ( 946416 )

          Yes, but the customer is going to continue to extort them anyway, with or without your help.

          Accessory after the fact is still accessory to a crime. The fact that the customer needs you to be an accessory to mitigate their damage is going to get you --)(-- that much with a prosecutor with a mind to punish anyone they can reach.

          • Yes, but I'm commenting on the "continuing extortion" bit: the extortion isn't going to stop by you shutting down their email. The extortionist doesn't even have a way to stop it.

      • IF I were the email provider, I'd hire lawyer and pay him/her to tell me what to do. Most likely, he/she will contact the authorities, outline the options, and let THEM decide what to do. No matter what they do, said email provider will almost certainly be sued by someone -- very likely lots of someones.

    • by Zocalo ( 252965 )
      Nope, that's the best part. Not only are the victims going to get schooled on the importance of good backups and security, but they are also going to get schooled on the importance of *not giving in to blackmail*. I'm hoping that the media will be full of stories of people who paid up and still didn't get their files back - sucks to be them, but it could well make subsequent attempts at ransomware not worth the risk for such a pitiful reward. How much did WannaCry yield in the end? A few $100k (assuming
    • If I had points I'd mod you through the roof. Great page!!

    • Backups? you mean those things that are infected too if the malware has been doing a good job of running for a couple of weeks.. Let's not forget, 'good' ransomware is already working weeks before they show themselves, and in the meantime it will affect all files which are being backedup. You're lucky if you can detect that ransomware way before it shows it's ugly head to you, but a lot of times it isn't.. great now you have a backup... but it's useless.. And in a lot of companies having to revert back to a

  • What systems are affected? Windows and...? What is the attack vector, do you have to click on a suspicious link or is it like Wannacry where you don't have to do anything to get infected, just have a machine connected to the internet?

    I did scanned TFA briefly but is skimpy on details.

    • It uses the exact same exploit as WannaCry so you don't have to do anything besides not having a patched version of Windows.
      • So far, patches have beaten the latest, big ransomware out to end users. Eventually, however, a solution will beat the patch out the door - causing problems on a scale that will dwarf everything before it. It could bring the worldwide internet to its knees as people stop connecting at all because of FUD.

        When that day finally comes, it'll be best to have backups made of your important data in an external hard drive that's disconnected from everything and sitting somewhere safe - only to be connected and upda

  • Honeypot ransomware (Score:5, Interesting)

    by cowwoc2001 ( 976892 ) on Tuesday June 27, 2017 @04:32PM (#54701065)

    Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?

    • by mark-t ( 151149 )

      One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not. So what's the point of him being there? Better than nothing? I guess.. but probably only a lot more likely to just create a false sense of security.

        A healthy backup policy is the only real workable solution... and considering it is even automatable, I can't say I understand the resistance to practicing it.

        Although I've not been hit by ransomware, having an automated backup policy in place on my system has still saved my data on more than one occasion, whether it was due to disk drive failure or because of human error.

        well this first generation of ransomware relies on crypto libraries currently in the system, you can hook and tell the OS to snapshoot the processs memory and posibly be able to get the prime numbers used to generate the keys that, while the attack is going on, are in memory, like the Quarkslab solution for XP systems works.

    • by Mal-2 ( 675116 )

      Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.

      • by swb ( 14022 )

        Wasn't that what Tripwire was all about?

        • by Bert64 ( 520050 )

          That's for OS files like executables, which should never change except during patching cycles.
          User files are expected to change, and users would become annoyed at the extra dialogs every time they saved (or autosaved) their work.

      • So now you want to have your OS to be checking files continuously? Or how is it supposed to detect such crypto attacks? Many important files - like documents - are supposed to change on a regular basis anyway...

    • Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?

      • by fgouget ( 925644 )

        Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?

        Two words: Halting problem [wikipedia.org].

    • by Hentes ( 2461350 )

      As far as I know this specific virus only encrypts the MFT.

    • Sophos supposedly has technology (intercept X) that can heuristically determine when an encryption event is going down and should automatically block it. It works by looking for files being rapidly encrypted and immediately stops it and i believe tries to roll back the changes so that less than 1% is actually encrypted.

      For us, the virus scanner has caught a few ransomware viruses before they made it that far, so we have yet to test that. But its a well advertised feature of their product line.

      https://www.so [sophos.com]

  • Maybe the guy can publish his postal address, so people can mail their info to him.

  • Rudyard Kipling (Score:5, Informative)

    by Stormy Dragon ( 800799 ) on Tuesday June 27, 2017 @05:16PM (#54701361)

    It is always a temptation to an armed and agile nation
        To call upon a neighbour and to say: --
    "We invaded you last night--we are quite prepared to fight,
        Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
        And the people who ask it explain
    That you've only to pay 'em the Dane-geld
        And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,
        To puff and look important and to say: --
    "Though we know we should defeat you, we have not the time to meet you.
        We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;
        But we've proved it again and again,
    That if once you have paid him the Dane-geld
        You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,
        For fear they should succumb and go astray;
    So when you are requested to pay up or be molested,
        You will find it better policy to say: --

    "We never pay any-one Dane-geld,
        No matter how trifling the cost;
    For the end of that game is oppression and shame,
        And the nation that pays it is lost!"

  • by The Raven ( 30575 ) on Wednesday June 28, 2017 @08:52AM (#54704365) Homepage

    This is probably not a real ransomware attempt. It's either a test that got released into the wild, or it's a simple malicious virus that was released and is masquerading as ransomware. Because it was initially released via a Ukrainian government website that businesses there need to use, it seems possible that this is another attack on Ukraine by the Russian government.

    Most ransomware infections use a different wallet code for each victim; this one has just one. Most ransomware also takes communication via TOR so it can't be blocked; this one used a public email. The dichotomy between the competence of the infection and the incompetence of the ransomware portion is what gives the impression that this is not really ransomware.

An adequate bootstrap is a contradiction in terms.

Working...