Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com) 182
Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.
The Nuclear Option (Score:5, Interesting)
Re: (Score:2, Insightful)
You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
Re:The Nuclear Option (Score:4, Insightful)
Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".
Re: (Score:2)
How would the victim get the decryption key? Just curious.. I'm sure there is a way, but it doesn't seem obvious.
Re: The Nuclear Option (Score:3)
You could ask to pay 1.xxx BTC and then refund them 0.1xxxx or whatever arbitrary value you like.
Re: (Score:2)
That would be awesome, since the smallest BTC is 0.00000001, that only leaves 10 million possible decryption keys. Any one could brute force a 24bit key in minutes.
Re: (Score:2)
Then make it a series of transactions, you could even encode a checksum if you'd like.
Re: (Score:2)
So the victim is expected to make 10+ transactions of an exact amount in the specific order and hope the criminal responds by giving them back some money over 10+ transactions? The criminal would make more money if they didn't follow through with it.
Giving back even a 256 bit encryption key would require 78 digits of data. To do that in 10 transactions would cost on average 5BTC (all 8 decimal places filled with data, averaging 0.50000000 BTC each)
Over 20 transactions with 4 digits of data is 0.00005 * 20 =
Re: (Score:2)
Re: The Nuclear Option (Score:4, Insightful)
Re: (Score:2)
That's why you use Dogecoins instead. Then you get both sides of the decimal point.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Just because YOUR generation has no respect for integrity doesn't mean it isn't valuable.
Re: (Score:2)
Re: (Score:2)
But we don't know how the petya authors would respond upon receiving a ransom payment.. Maybe they would unlock the files but we won't be able to find out now.
It's actually in their interest to unlock files upon receipt of the ransom, as that will increase the chances of any future victims paying too. If files never get unlocked then users won't even consider payment.
Re:The Nuclear Option (Score:5, Insightful)
Re: (Score:2)
The risk/reward ratio is terrible. Unlike simpler ransomware that mostly affected home users and small businesses, this NSA powered variant is hitting hospitals, infrastructure, big businesses and governments. No matter how much money you make, it probably won't be of much use to you. You will need to launder it before you can use it, and you have law enforcement coming after you, the NSA probably wants their exploit back and is looking for you too...
You will end up either hiding and not being able to enjoy
Re: (Score:2)
They're also hitting Russian infrastructure with this one. Speaking of the nuclear option, how about a sprinkle of polonium 210?
Re:The Nuclear Option (Score:5, Insightful)
> You really think malware creators won't be able to find any email providers that are friendly to their cause?
Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.
Re: (Score:2)
Of course they can find a different email provider. But the version that's gone out and infected people - victims who presumably won't be infected twice - has used this email address, which is no longer valid.
What I find interesting about this article is that they're using a commercial email service with a known account. While Posteo doesn't collect or store IP addresses, I would think that they could be subpoenaed to return future IP information for future attempts to log into the account. Also, if the acc
Re: (Score:2)
You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
or just non-email options. I mean it might be necessary every barrier makes it harder to do but easy enough to setup a masked chat service somewhere.
Re: (Score:2, Insightful)
Re:The Nuclear Option (Score:5, Insightful)
I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.
Re: (Score:2)
I wonder if it creates legal liability for them though... Maybe somehow who knows more about German law can comment, but in other places it might be possible to argue that some of the losses resulting from the ransomware were due to losing the ability to pay it.
Re: (Score:2)
While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
But they still get paid. It will take time for people to find out they can't get their files back even if they pay. Many people will never know. You want nuclear option, find a way to seize their bitcoin wallets or block transactions to it.
Re: (Score:2)
That's the reason.
Think about it for a second. Ransomware only works when the malware developers are honest. In fact, many will walk you through the process of getting bitcoins and how to fix your computer, because they know it takes just one f**k-up to hose the entire business model.
All the user has is trust. Trust in that if they do these things, they'll get their data back. Once that trust is violated, it's game o
Re: (Score:3)
Are most people really going to tell everyone that they paid off a criminal organization? No, they're going to be ashamed of that (and perhaps worried that it's illegal) and pretend that part didn't happen.
Re: (Score:3)
Yes, they still got paid. And the victims that paid money and still lost all their files are the worst off of all. However when word gets around about what happened and it becomes common knowledge that people who pay ransomware still don't get their files back, people will know to stop paying. Of course there will be a few who pay up in the vain hope that it would work, but if the majority of people know that it's just throwing good money after bad, then the business model of these ransomware writers will fall over. (fingers crossed).
You mean like how word got out about ransomware being a thing and therefore everyone now makes sure they have solid offsite backup schemes in place now?
Re: (Score:2)
Assuming the backup server is correctly configured, and access to it cannot be obtained using credentials acquired from one of the servers being backed up...
If the ransomware can spread onto the backup server, then it can encrypt/destroy your backups too unless they're stored on media that has been physically disconnected from it. In most places i've seen, the backup server (if there was one at all) was joined to the same domain as everything else, once you compromise the domain you control the backups too.
Re: (Score:2)
Re: (Score:2)
More likely it's going the same way those prescription drug offers and Nigerian scams go: just more of them, as there are always new victims to be found.
Re: (Score:2)
this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option
It's a nuclear option against a metaphorical cockroach. Blocking an email service will do nothing to stop people who are able to program malware like this. Any idiot can set up an email server. A slightly clever idiot can do so properly. These guys will not be stopped by the inability to use someone else's email service.
Re: (Score:2)
the fallout is likely to hurt many unintended targets,
Yes, exclusively
but it could end the war.
It won't.
Re: (Score:2)
While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
WTF does the asshat at the other end of the malware care if the email account works or not? Most aren't going to find out that it's a dead email address until they've already paid. So asshat already has the money, what do they care about your files?
Re: The Nuclear Option (Score:4, Insightful)
"eliminate the incentives for ransomware creators"
This assumes that the ransom is their main incentive.
Re: (Score:2)
It's the only incentive for ransomware. If a malware author/distributor is motivated by other things, they write/distribute other kinds of malware.
Re: (Score:2)
They might be motivated solely by a desire to cause chaos and destruction, and reusing existing ransomware code was easier than writing new code for wiping data. Or perhaps they derive a perverse pleasure not only from destroying people's data, but also from giving them false hope that it could ever be recovered.
There was at least one ransomware family i read about which encrypted the data using a random key, and then completely discarded the key making the data unrecoverable.
There are plenty of evil and/or
Re: (Score:2)
All it does is further punish those who want to retrieve their files (assuming the ransomware creator would actually honor the payment, of which there is no guarantee)...
Future malware creators will just use a different email provider or some other method of communication, they won't be deterred from their activities in the slightest.
Re: The Nuclear Option (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I wonder if anyone has managed to make a violin shape by pushing some individual atoms around with an STM yet, because that's the only way there would be one small enough to properly express how little I care for their troubles.
No violins that I'm aware of yet but here's a really small harp [bbc.co.uk] for the swan song...
Re: The Nuclear Option (Score:4, Insightful)
The NSA is working against the American people in many cases
Re: (Score:2)
It hurts the ransomware creators by cutting off their ability to receive those payments. Makes it less profitable to do ransomware, and more risky for the money you did get. Look at it this way: If you set a forest on fire and burned a million acres, but got $250,000 to do it, the risk/reward/effort equations work out in your favor. But if the next time you burned another million acres you only got $6000 for it, you would probably decide that in light of the effort involved and the amount of heat from l
Re: (Score:2)
by cutting off their ability to receive those payments.
I guess you have no idea how a bitcoin wallet works.
Re: (Score:2)
Depends how big the ransom is...
Users may decide that the cost of paying the occasional ransom is easier/cheaper than the hassle and cost of making backups and improving their security practices.
Re: (Score:2)
It certainly hurts the next gen of ransomware if they know they won't be able to get their cash.
I thought though that they haven't actually paid the ransom until it was collected?
As for shadow copies - get a backup solution, Mozy, Crashplan, etc all have free options that will backup your "My Documents" folder and they all keep histories of files backed up.
Re: (Score:3)
The catch is, then you're either stuck paying monthly fees for several terabytes of cloud storage in perpetuity (and dealing with a multi-day, multi-terabyte upload for that first backup that effectively makes the computer and your internet connectivity unusable until it completes), or have to use local storage that itself is vulnerable to ransomware.
Yes, I'll admit it. I'm a data-hoarder (my laptop ALONE has a 1TB SSD and a 2TB hard drive, with an additional 6 1-3TB (mostly full) hard drives in the closet)
Re: (Score:2)
I have about 5TB of data backed up to the cloud (SpiderOak, fully encrypted on my end of course). Took a few months to get the initial upload done, and maintaining it is at most an overnight job now. I'm paying $120/year for unlimited storage, which admittedly was a special offer a few years back.
For commercial scale backups you would start by mailing some hard drives to the backup provider.
Cost wise, Google Coldline is $7.168/month/terabyte. If I'm reading it right, uploading data is free, you only pay if
Re: (Score:2)
I didn't say *I* had 9 storage units and a house. It was an analogy.
The metaphorical "storage units" are my USB 2.0 hard drives, and the tarballs ON those drives are kind of like "storage units in another city that can only be visited once in a while, for a limited amount of time". They're so slow (relative to the sheer number of files on them), and some of their contained archive files are so huge (one has more than a hundred sliced tarballs, each of which has about 2GB worth of files and a current size av
Well shit... (Score:2)
Re: (Score:3)
Re: (Score:2)
What was Posteo supposed to do? (Score:5, Interesting)
Let the scammer's email addy active and be accused of being accessory to racketeering?
Tough shit for the ransomware victims, but they just had to do it.
Re: (Score:2, Insightful)
Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.
Re:What was Posteo supposed to do? (Score:4, Interesting)
maybe they already have that information? What more could they learn by leaving the account active for longer?
Re: (Score:2)
Re: (Score:2)
No, what Posteo did is more like replacing illegal drugs (which *can* be harmful and/or deadly) with cyanide (which is always deadly).
Prior to Posteo's actions those victims had a chance (however slim) of recovering their data, now they have no chance due directly to the actions of Posteo.
Good. (Score:2)
Stop paying fucking ransoms you fucks.
It would be funny, except ... (Score:4, Insightful)
It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].
Re: (Score:2)
So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so
Re: (Score:3)
So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.
Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).
However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities des
Re: (Score:2)
I read the initial post as a "educating the non-customers by cutting off the proof-of-ransom communication channel was a dumb idea" criticism.
My apologies.
Re: (Score:2)
Yes, but the customer is going to continue to extort them anyway, with or without your help: the malware isn't going to magically disable itself just because the email address is defunct. Now they're just going to send their Bitcoin payments and not get anything in return, and the malware author will receive all these nice Bitcoin payments but not be able to decrypt anyone's files, so it's actually less work for him. Of course, one might argue that when word spreads about the email address being suspended
Re: (Score:2)
Accessory after the fact is still accessory to a crime. The fact that the customer needs you to be an accessory to mitigate their damage is going to get you --)(-- that much with a prosecutor with a mind to punish anyone they can reach.
Re: (Score:2)
Yes, but I'm commenting on the "continuing extortion" bit: the extortion isn't going to stop by you shutting down their email. The extortionist doesn't even have a way to stop it.
Re: (Score:2)
IF I were the email provider, I'd hire lawyer and pay him/her to tell me what to do. Most likely, he/she will contact the authorities, outline the options, and let THEM decide what to do. No matter what they do, said email provider will almost certainly be sued by someone -- very likely lots of someones.
Re: (Score:3)
Re: (Score:2)
If I had points I'd mod you through the roof. Great page!!
Re: (Score:2)
Backups? you mean those things that are infected too if the malware has been doing a good job of running for a couple of weeks.. Let's not forget, 'good' ransomware is already working weeks before they show themselves, and in the meantime it will affect all files which are being backedup. You're lucky if you can detect that ransomware way before it shows it's ugly head to you, but a lot of times it isn't.. great now you have a backup... but it's useless.. And in a lot of companies having to revert back to a
Re: (Score:2)
Re: (Score:2)
I didn't say I wasn't fine with it.... I only suggested how one might not find it funny that someone is unable to recover their lost data, even if they *DO* pay.
I don't abide paying the ransom for a second, but that doesn't mean I don't feel bad for the people that it happens to.
Clue me in about this malware please (Score:2)
What systems are affected? Windows and...? What is the attack vector, do you have to click on a suspicious link or is it like Wannacry where you don't have to do anything to get infected, just have a machine connected to the internet?
I did scanned TFA briefly but is skimpy on details.
Re: (Score:2)
Re: (Score:2)
So far, patches have beaten the latest, big ransomware out to end users. Eventually, however, a solution will beat the patch out the door - causing problems on a scale that will dwarf everything before it. It could bring the worldwide internet to its knees as people stop connecting at all because of FUD.
When that day finally comes, it'll be best to have backups made of your important data in an external hard drive that's disconnected from everything and sitting somewhere safe - only to be connected and upda
Honeypot ransomware (Score:5, Interesting)
Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?
Re: (Score:2)
One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not
Re: (Score:3, Interesting)
One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not. So what's the point of him being there? Better than nothing? I guess.. but probably only a lot more likely to just create a false sense of security.
A healthy backup policy is the only real workable solution... and considering it is even automatable, I can't say I understand the resistance to practicing it.
Although I've not been hit by ransomware, having an automated backup policy in place on my system has still saved my data on more than one occasion, whether it was due to disk drive failure or because of human error.
well this first generation of ransomware relies on crypto libraries currently in the system, you can hook and tell the OS to snapshoot the processs memory and posibly be able to get the prime numbers used to generate the keys that, while the attack is going on, are in memory, like the Quarkslab solution for XP systems works.
Re: (Score:2)
Clever!
Re: (Score:3)
Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.
Re: (Score:3)
Wasn't that what Tripwire was all about?
Re: (Score:2)
That's for OS files like executables, which should never change except during patching cycles.
User files are expected to change, and users would become annoyed at the extra dialogs every time they saved (or autosaved) their work.
Re: (Score:2)
So now you want to have your OS to be checking files continuously? Or how is it supposed to detect such crypto attacks? Many important files - like documents - are supposed to change on a regular basis anyway...
Re: (Score:2)
Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?
Re: (Score:2)
Out of curiosity, why can't a computer ... you know, the things that mentally make 500 test moves in a second in a chess game ... predict the outcome of what a malicious file is about to do and apply the brakes?
Two words: Halting problem [wikipedia.org].
Re: (Score:3)
As far as I know this specific virus only encrypts the MFT.
Re: (Score:2)
Sophos supposedly has technology (intercept X) that can heuristically determine when an encryption event is going down and should automatically block it. It works by looking for files being rapidly encrypted and immediately stops it and i believe tries to roll back the changes so that less than 1% is actually encrypted.
For us, the virus scanner has caught a few ransomware viruses before they made it that far, so we have yet to test that. But its a well advertised feature of their product line.
https://www.so [sophos.com]
Alternative solution. (Score:2)
Maybe the guy can publish his postal address, so people can mail their info to him.
Rudyard Kipling (Score:5, Informative)
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
Fake Ransomware (Score:3)
This is probably not a real ransomware attempt. It's either a test that got released into the wild, or it's a simple malicious virus that was released and is masquerading as ransomware. Because it was initially released via a Ukrainian government website that businesses there need to use, it seems possible that this is another attack on Ukraine by the Russian government.
Most ransomware infections use a different wallet code for each victim; this one has just one. Most ransomware also takes communication via TOR so it can't be blocked; this one used a public email. The dichotomy between the competence of the infection and the incompetence of the ransomware portion is what gives the impression that this is not really ransomware.
Re: (Score:2, Insightful)
It's a private company. They set the terms of service and decide who can and can not use their products/services and for what purposes. I wouldn't be surprised if there was clause in the TOS stating that the service can be terminated for any reason and without notice.
Re: (Score:2)
I don't think so. Deleting email may be illegal, but if they keep all the mail and offer the account-owner a chance to get it by identifying himself, this is legally quite above board. It is also very likely that the account owner is violating the TOS of Posteo.
Re: (Score:3)
You're thinking that Germany passed a law saying that email providers are required to always provide users with free access to their account, even if that email account is used as part of a crime? For example, trading child pornography, trading copyrighted content, facilitating money laundering or extortion, etc? Why would any country pass a law like that? I can't think of a single country which WOULD have a law like that.
But, don't let simple rational logic stop you from contacting the real "News Media"
Re: (Score:2)
Privacy is constitutionally protected.
What, you mean in the United States, by the United States Constitution, which wouldn't apply to Germany anyway? Are you talking about the fourth amendment? Because, and I'm not a lawyer or anything, but I bet that if a ransomware campaign publishes an email address to use to send extortion payment info, I'm pretty sure that investigation of that email account would not be classified as "unreasonable search". That search sounds pretty reasonable to me. In fact, deciding to deactivate access to this accou
Re: (Score:2)
Maybe they're referring to The Basic Law for the Federal Republic of Germany
They probably have no idea what is in that law, but you know, 'Merica
Re: (Score:2)
Re: (Score:2, Insightful)
From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."
That statement by itself is disturbing enough as it is.
Why is it disturbing? Do they expect the radiation levels around Chernobyl to go up?!
Re: Disturbing (Score:4, Funny)
Windows would be a lot less popular if we just banned glass and other transparent materials.
Re: (Score:2)
Because windows is less modular than other systems that would be more suitable to tasks like this.
You want a tiny embedded system with the smallest possible attack surface, not a large general purpose system like windows with stacks of legacy cruft and features which are totally irrelevant to the task at hand. The less code you have, the less chance of security holes being found. Sure nothing is perfect, but a system which is 10% of the size is going to be far safer.
The other issue is monoculture, if everyo
Re: (Score:2)
1, if the NSA don't hoard vulnerabilities, then vulnerabilities will still be hoarded by foreign intelligence agencies and criminals. The NSA will be at a disadvantage and the world will be no better off.
3, how would you implement "direct user intervention" as a requirement? unless enforced at the hardware level, ransomware would just need to execute the same instructions that the user-driven deletion confirmation does. Also a lot of software creates and destroys temporary files during its normal operation,