NotPetya/PetyaWrap victims find they can't decrypt their files after email provider shuts...

midian182

Posts: 6,068   +50
Staff member

The emergence of a worldwide ransomware attack so soon after WannaCry is bad enough, but what's making matters worse is the fact that the victims can’t contact whoever’s responsible for NotPetya/PetyaWrap to decrypt their files. The reason: an email provider has closed the hacker's account.

The malware, which has already infected around 300,000 computers across the world, comes with a ransom note demanding $300 in Bitcoin to restore encrypted files.

To determine which victims have paid, the note asks them to email their Bitcoin wallet ID and a “personal installation key,” - a unique 60-character code generated by the malware that lets the hacker know which decryption keys to issues.

But German email service Posteo has now blocked the hacker’s email address, meaning it can no longer receive messages and the owner is unable to access it.

"Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, Posteo wrote in a blog post. "Our anti-abuse team checked this immediately – and blocked the account straight away. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases."

At last count, there had been 29 payments totaling $7497 sent to the Bitcoin address. With no apparent means of contacting the hackers, there now seems to be no point in paying the ransom.

Posteo has been criticized for closing the email account. But in an email to Motherboard, it says there were no guarantee the hacker ever intended to decrypt the affected files. "Please make no speculations about how high the chances are to decrypt files locked by ransomware if you pay a criminal," it wrote, without addressing how victims could now contact the attacker.

Countries in Russia and Europe, including the UK, Ukraine, Spain, and France, have been hit hardest by the ransomware, but it has now reached the US. Drug maker Merck, law firm DLA Piper, and Heritage Valley Health Systems are among those that have been infected.

Permalink to story.

 

Squid Surprise

Posts: 3,441   +2,340
What would be good information to know is if anyone infected before the email was shut down received working decryption keys from the hackers.... If the answer is "no", then the action by Posteo was correct...

If the answer is yes, we now enter a grey area.... while the principle of "we don't negotiate with terrorists" is a fine ideal, there are some people (and businesses) who can't afford just lofty ideals, and really need their files back.
 

stewi0001

Posts: 2,437   +1,940
TechSpot Elite
What would be good information to know is if anyone infected before the email was shut down received working decryption keys from the hackers.... If the answer is "no", then the action by Posteo was correct...

If the answer is yes, we now enter a grey area.... while the principle of "we don't negotiate with terrorists" is a fine ideal, there are some people (and businesses) who can't afford just lofty ideals, and really need their files back.
Really what all companies and individuals need to do is have a back up system. Heck, even if you are not worried about a ransom attack, you never know if your hard drive will kick the bucket. Anyways, by paying these people all you are doing is encouraging them and others to keep doing it. Essentially you are creating a market when you pay them.
 
  • Like
Reactions: mcborge and jobeard

Skidmarksdeluxe

Posts: 8,645   +3,281
Tough luck. There's going to be a lot of formatting and reinstallation of OS's now. Hopefully all those numbnuts who opened dodgy email attachments and never considered backing up their important data will do from now on. Actually I don't, I still milk those kind of people who don't use a modicum of common sense all the while sympathizing with them about their woes but inwardly laughing.
 

Uncle Al

Posts: 7,483   +5,988
A public execution, widely published over the internet would be an appropriate action. As we have seen with Wall Street crime, the failure to nip it in the bud with harsh punishment only encourages the bad actors to go back to the well again and again .......
 

cuerdc

Posts: 211   +62
Good *****s paying up only continuing the trend of ransomware. If your hit accept the loss and learn from your mistakes but also surely some government software is out there able to easily decrypt. Note to self backup.
 
B

bmw95

I think there's some tools to decrypt your files out there, so should be ok. I remember coming across one on github at least.
 

jobeard

Posts: 13,970   +1,778
...but also surely some government software is out there able to easily decrypt.
Fallacious assumption. If done well with AES, there's no way to recover. IMO, that's a dumb approach in the first place. It's time to crank up your backup systems and flat reinstall and restore the user data. WHAT? NO BACKUPS? Fire the CIO.