Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Security Privacy The Internet

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com) 82

Posted by msmash from the interesting-turns dept.
Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid More | Reply

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid

Comments Filter:

  • The Nuclear Option (Score:5, Interesting)

    by trg83 ( 555416 ) on Tuesday June 27, 2017 @04:45PM (#54700675)
    While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

    • Re: (Score:1)

      by Anonymous Coward

      You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Why do the bad guys need email in the first place? Just ask for 0.10xxxxxx BTC where xxxxxx is the "infection key".

      • > You really think malware creators won't be able to find any email providers that are friendly to their cause?

        Other agencies could make that a dangerous game for the email provider. Revoking their domain or just shitcanning routes to their IP ranges if they're "involved" in malware commerce would make others extremely reluctant to play along.

      • Re: (Score:2)

        by Rei ( 128717 )

        Of course they can find a different email provider. But the version that's gone out and infected people - victims who presumably won't be infected twice - has used this email address, which is no longer valid.

        What I find interesting about this article is that they're using a commercial email service with a known account. While Posteo doesn't collect or store IP addresses, I would think that they could be subpoenaed to return future IP information for future attempts to log into the account. Also, if the acc

      • You really think malware creators won't be able to find any email providers that are friendly to their cause? There's no way they're going to give up the potential tens or hundreds of thousands of dollars because they'd have to pay $100 for a "bulletproof" email address.

        or just non-email options. I mean it might be necessary every barrier makes it harder to do but easy enough to setup a masked chat service somewhere.

    • Re: The Nuclear Option (Score:1)

      by Anonymous Coward

      How does it hurt the ransomware creators? When you pay the ransom, you're placing your trust in criminals to give you the decryption key after they have your money. I suppose your argument is that when people don't receive the decryption key, it will lead to people not paying the ransom. However, short of reading news reports about this, people won't discover the email address has been taken down until after they've already paid the ransom. One issue here is that the NSA needs to be held accountable for hoa

      • The NSA is working against the American people in many cases

        ..and against the world in the rest of the cases.

      • It hurts the ransomware creators by cutting off their ability to receive those payments. Makes it less profitable to do ransomware, and more risky for the money you did get. Look at it this way: If you set a forest on fire and burned a million acres, but got $250,000 to do it, the risk/reward/effort equations work out in your favor. But if the next time you burned another million acres you only got $6000 for it, you would probably decide that in light of the effort involved and the amount of heat from l

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Fuck the lives of the arseholes who are encouraging and funding ransomware infections. The only true victims are the ones that don't pay. The ones that do pay are helping create more victims. This isn't a nuclear option, none of the innocent victims are hurt by this. In fact, because of this, the damage the arseholes cause will be mitigated, and the only people who suffer from this, are the arseholes.

    • Re: (Score:2)

      by gweihir ( 88907 )

      I agree on both counts. The problem is that if you let a criminal business model thrive, then things will get far worse. Hence what Posteo did is the only sane thing possible. It will also send a pretty clear message to those affected that a major part of the problem is with them and their bad security and non-existent backups.

    • Re: (Score:2)

      by EvilSS ( 557649 )

      While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

      But they still get paid. It will take time for people to find out they can't get their files back even if they pay. Many people will never know. You want nuclear option, find a way to seize their bitcoin wallets or block transactions to it.

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        It will take time for people to find out they can't get their files back even if they pay.

        That's the reason.

        Think about it for a second. Ransomware only works when the malware developers are honest. In fact, many will walk you through the process of getting bitcoins and how to fix your computer, because they know it takes just one f**k-up to hose the entire business model.

        All the user has is trust. Trust in that if they do these things, they'll get their data back. Once that trust is violated, it's game o

    • this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option

      It's a nuclear option against a metaphorical cockroach. Blocking an email service will do nothing to stop people who are able to program malware like this. Any idiot can set up an email server. A slightly clever idiot can do so properly. These guys will not be stopped by the inability to use someone else's email service.

    • the fallout is likely to hurt many unintended targets,

      Yes, exclusively

      but it could end the war.

      It won't.

    • While this doesn't do anything to improve life for the poor folks trying to retrieve their files, this type of aggressive approach may be required to eliminate the incentives for ransomware creators. It's truly the nuclear option, as the fallout is likely to hurt many unintended targets, but it could end the war.

      WTF does the asshat at the other end of the malware care if the email account works or not? Most aren't going to find out that it's a dead email address until they've already paid. So asshat already has the money, what do they care about your files?

    • "eliminate the incentives for ransomware creators"

      This assumes that the ransom is their main incentive.

    • Hard on the victims that paid. Perhaps the word should be out that criminals won't necessarily give you anything for your bit coins. About time someone had nerves. Thanx.
  • Looks like hackers need to use email servers from companies that don't give a shit, or make their own.

    • Re: (Score:2)

      by Megane ( 129182 )
      Or they could ask their victims to make random posts on /. and have the codes look like the Baynesian spammer with stuff like "goat.cx" and "frist post" in certain combinations. Then nobody will ever know what they're doing.

  • Instead of doing that... (Score:1)

    by Anonymous Coward

    They could've just cooperated with the authorities to unmask the scumbag.
    It just take a moment of inattention on his part to not use a vpn/tor/whatever else that mask his IP.

  • Disturbing (Score:1)

    by Anonymous Coward

    From the article: "The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down."

    That statement by itself is disturbing enough as it is.

  • What was Posteo supposed to do? (Score:5, Interesting)

    by Rosco P. Coltrane ( 209368 ) on Tuesday June 27, 2017 @04:50PM (#54700715)

    Let the scammer's email addy active and be accused of being accessory to racketeering?

    Tough shit for the ransomware victims, but they just had to do it.

    • Re: (Score:1)

      by Anonymous Coward

      Um, leave the email account open, contact the authorities and keep your mouth shut. They could have gathered valuable intelligence on this operation. Maybe the bad guys would have even screwed up somewhere while accessing the account. Now that opportunity has been pissed in the wind.

      • maybe they already have that information? What more could they learn by leaving the account active for longer?

  • Good. (Score:2)

    by Anonymous Coward

    Stop paying fucking ransoms you fucks.

  • It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].

    • Re: (Score:2)

      by DRJlaw ( 946416 )

      It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security [ranum.com].

      So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so

      • So if I were the email provider, you're saying that I owe it to non-customers to continue to serve a customer violating my TOS and bringing my services into disrepute so that the customer may continue to extort them.

        Ummm, no. I said nothing of the sort. To more clearly state what I have already said: ordinarily something like this would be funny (criminal losing access to a key piece of their criminal enterprise, thereby harming the future viability of said enterprise).

        However, the collateral damage makes it more lamentable. Innocent victims now may be harmed three ways (1. infected, 2. paid ransom, 3. still didn't get files back). Posteo did the right thing and criminals who engage in these sorts of activities des

        • Re: (Score:2)

          by DRJlaw ( 946416 )

          My reference to The Six Dumbest Ideas in Computer Security was an acknowledgment that educating users (like how to not get hit by phishing attacks in the first place) is an extreme uphill battle which is oftentimes lost. Just look at the frequency and extent of these sorts of attacks.

          I read the initial post as a "educating the non-customers by cutting off the proof-of-ransom communication channel was a dumb idea" criticism.

          My apologies.

      • Yes, but the customer is going to continue to extort them anyway, with or without your help: the malware isn't going to magically disable itself just because the email address is defunct. Now they're just going to send their Bitcoin payments and not get anything in return, and the malware author will receive all these nice Bitcoin payments but not be able to decrypt anyone's files, so it's actually less work for him. Of course, one might argue that when word spreads about the email address being suspended

        • Re: (Score:2)

          by DRJlaw ( 946416 )

          Yes, but the customer is going to continue to extort them anyway, with or without your help.

          Accessory after the fact is still accessory to a crime. The fact that the customer needs you to be an accessory to mitigate their damage is going to get you --)(-- that much with a prosecutor with a mind to punish anyone they can reach.

    • Re: (Score:2)

      by Zocalo ( 252965 )
      Nope, that's the best part. Not only are the victims going to get schooled on the importance of good backups and security, but they are also going to get schooled on the importance of *not giving in to blackmail*. I'm hoping that the media will be full of stories of people who paid up and still didn't get their files back - sucks to be them, but it could well make subsequent attempts at ransomware not worth the risk for such a pitiful reward. How much did WannaCry yield in the end? A few $100k (assuming

  • What systems are affected? Windows and...? What is the attack vector, do you have to click on a suspicious link or is it like Wannacry where you don't have to do anything to get infected, just have a machine connected to the internet?

    I did scanned TFA briefly but is skimpy on details.

    • It uses the exact same exploit as WannaCry so you don't have to do anything besides not having a patched version of Windows.

  • Honeypot ransomware (Score:3, Interesting)

    by cowwoc2001 ( 976892 ) on Tuesday June 27, 2017 @05:32PM (#54701065)

    Out of curiosity, why don't anti-viruses create a random file on disk and flag any process that modifies it as a suspected ransomware (for manual or automated intervention)?

    • Re: (Score:2)

      by mark-t ( 151149 )

      One file, randomly placed on a disk, is not statistically likely to serve as any sort of honeypot before other significant damage has occurred. On average, I suppose you could argue that it would mitigate the damages to roughly half... but that's an overall average. It would be virtually equal to useless just as often as it might save a good percentage of your data. It's like having a life guard on duty at a beach who *might* bother to swim out to save you if you need help, but then again, he might not

    • Re: (Score:2)

      by Mal-2 ( 675116 )

      Better, make hashes of all or most of the files on the disk, and if the hashes start not matching you know you have a problem.

  • Maybe the guy can publish his postal address, so people can mail their info to him.

Slashdot Top Deals

If you can count your money, you don't have a billion dollars. -- J. Paul Getty

Close