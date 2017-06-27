Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com) 82
Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.
The Nuclear Option (Score:5, Interesting)
Re: (Score:1)
You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
Re: (Score:2, Insightful)
Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".
Re: (Score:2)
> You really think malware creators won't be able to find any email providers that are friendly to their cause?
Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.
Re: (Score:2)
Of course they can find a different email provider. But the version that's gone out and infected people - victims who presumably won't be infected twice - has used this email address, which is no longer valid.
What I find interesting about this article is that they're using a commercial email service with a known account. While Posteo doesn't collect or store IP addresses, I would think that they could be subpoenaed to return future IP information for future attempts to log into the account. Also, if the acc
Re: (Score:2)
You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.
or just non-email options. I mean it might be necessary every barrier makes it harder to do but easy enough to setup a masked chat service somewhere.
Re: The Nuclear Option (Score:1)
How does it hurt the ransomware creators? When you pay the ransom, you're placing your trust in criminals to give you the decryption key after they have your money. I suppose your argument is that when people don't receive the decryption key, it will lead to people not paying the ransom. However, short of reading news reports about this, people won't discover the email address has been taken down until after they've already paid the ransom. One issue here is that the NSA needs to be held accountable for hoa
Re: (Score:2)
The NSA is working against the American people in many cases
Re: (Score:2)
It hurts the ransomware creators by cutting off their ability to receive those payments. Makes it less profitable to do ransomware, and more risky for the money you did get. Look at it this way: If you set a forest on fire and burned a million acres, but got $250,000 to do it, the risk/reward/effort equations work out in your favor. But if the next time you burned another million acres you only got $6000 for it, you would probably decide that in light of the effort involved and the amount of heat from l
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I wonder if anyone has managed to make a violin shape by pushing some individual atoms around with an STM yet, because that's the only way there would be one small enough to properly express how little I care for their troubles.
No violins that I'm aware of yet but here's a really small harp [bbc.co.uk] for the swan song...
Re: (Score:2, Insightful)
Re: (Score:2)
I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.
Re: (Score:2)
While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
But they still get paid. It will take time for people to find out they can't get their files back even if they pay. Many people will never know. You want nuclear option, find a way to seize their bitcoin wallets or block transactions to it.
Re: (Score:2)
Yes, they still got paid. And the victims that paid money and still lost all their files are the worst off of all. However when word gets around about what happened and it becomes common knowledge that people who pay ransomware still don't get their files back, people will know to stop paying. Of course there will be a few who pay up in the vain hope that it would work, but if the majority of people know that it's just throwing good money after bad, then the business model of these ransomware writers will fall over. (fingers crossed).
You mean like how word got out about ransomware being a thing and therefore everyone now makes sure they have solid offsite backup schemes in place now?
Re: (Score:2)
That's the reason.
Think about it for a second. Ransomware only works when the malware developers are honest. In fact, many will walk you through the process of getting bitcoins and how to fix your computer, because they know it takes just one f**k-up to hose the entire business model.
All the user has is trust. Trust in that if they do these things, they'll get their data back. Once that trust is violated, it's game o
Re: (Score:2)
this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option
It's a nuclear option against a metaphorical cockroach. Blocking an email service will do nothing to stop people who are able to program malware like this. Any idiot can set up an email server. A slightly clever idiot can do so properly. These guys will not be stopped by the inability to use someone else's email service.
Re: (Score:2)
the fallout is likely to hurt many unintended targets,
Yes, exclusively
but it could end the war.
It won't.
Re: (Score:2)
While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.
WTF does the asshat at the other end of the malware care if the email account works or not? Most aren't going to find out that it's a dead email address until they've already paid. So asshat already has the money, what do they care about your files?
Re: The Nuclear Option (Score:1)
"eliminate the incentives for ransomware creators"
This assumes that the ransom is their main incentive.
Re:The Nuclear Option * 100% agree (Score:1)
Re: (Score:2)
I don't think so. Deleting email may be illegal, but if they keep all the mail and offer the account-owner a chance to get it by identifying himself, this is legally quite above board. It is also very likely that the account owner is violating the TOS of Posteo.
Re: (Score:2)
Privacy is constitutionally protected.
What, you mean in the United States, by the United States Constitution, which wouldn't apply to Germany anyway? Are you talking about the fourth amendment? Because, and I'm not a lawyer or anything, but I bet that if a ransomware campaign publishes an email address to use to send extortion payment info, I'm pretty sure that investigation of that email account would not be classified as "unreasonable search". That search sounds pretty reasonable to me. In fact, deciding to deactivate access to this accou
Re: (Score:2)
You're thinking that Germany passed a law saying that email providers are required to always provide users with free access to their account, even if that email account is used as part of a crime? For example, trading child pornography, trading copyrighted content, facilitating money laundering or extortion, etc? Why would any country pass a law like that? I can't think of a single country which WOULD have a law like that.
But, don't let simple rational logic stop you from contacting the real "News Media"
Well shit... (Score:2)
Re: (Score:2)
Instead of doing that... (Score:1)
They could've just cooperated with the authorities to unmask the scumbag.
It just take a moment of inattention on his part to not use a vpn/tor/whatever else that mask his IP.
Disturbing (Score:1)
From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."
That statement by itself is disturbing enough as it is.
Re: (Score:2)
Windows would be a lot less popular if we just banned glass and other transparent materials.
Re: (Score:2)
And this would help how? Every OS has security holes.
Every. Single. One.
Without exception.
Why? Because no matter how clever we are, these are all created by fallible humanity, and there is some way to circumvent, interrupt, override, overpower, or simply break it (even if it's just with a well aimed rock).
Windows was the biggest and the most installed, and thus it had the most people attacking it and finding flaws, holes, and weak points of every kind. If all the Windows OS systems were scrapped today, the
What was Posteo supposed to do? (Score:5, Interesting)
Let the scammer's email addy active and be accused of being accessory to racketeering?
Tough shit for the ransomware victims, but they just had to do it.
Re: (Score:1)
Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.
Re: (Score:2)
maybe they already have that information? What more could they learn by leaving the account active for longer?
Good. (Score:2)
Stop paying fucking ransoms you fucks.
It would be funny, except ... (Score:2, Insightful)
It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].
Re: (Score:2)
Re: (Score:2)
So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so
Re: (Score:2)
So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.
Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).
However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities des
Re: (Score:2)
I read the initial post as a "educating the non-customers by cutting off the proof-of-ransom communication channel was a dumb idea" criticism.
My apologies.
Re: (Score:2)
Yes, but the customer is going to continue to extort them anyway, with or without your help: the malware isn't going to magically disable itself just because the email address is defunct. Now they're just going to send their Bitcoin payments and not get anything in return, and the malware author will receive all these nice Bitcoin payments but not be able to decrypt anyone's files, so it's actually less work for him. Of course, one might argue that when word spreads about the email address being suspended
Re: (Score:2)
Accessory after the fact is still accessory to a crime. The fact that the customer needs you to be an accessory to mitigate their damage is going to get you --)(-- that much with a prosecutor with a mind to punish anyone they can reach.
Re: (Score:2)
Clue me in about this malware please (Score:2)
What systems are affected? Windows and...? What is the attack vector, do you have to click on a suspicious link or is it like Wannacry where you don't have to do anything to get infected, just have a machine connected to the internet?
I did scanned TFA briefly but is skimpy on details.
Re: (Score:2)
Honeypot ransomware (Score:3, Interesting)
Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?
Re: (Score:2)
One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not
Re: (Score:2)
Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.
Alternative solution. (Score:2)
Maybe the guy can publish his postal address, so people can mail their info to him.