Hacker Behind Massive Ransomware Outbreak Can't Get Emails from Victims Who Paid

A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can't get decryption keys.

|
Jun 27 2017, 5:53pm

Image: Shutterstock

On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted.

But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files.

"If you see this text, then your files are no longer accessible, because they are encrypted," the ransom text reads. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

From here, the hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key."

This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That way, the hacker can release the specific key needed to unlock that individual victim's files.

That process is not possible now, though.

"Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately – and blocked the account straight away. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases."

Just to be super-clear, Posteo clarified, "Since midday it is no longer possible for the blackmailers to access the email account or send emails," and "Sending emails to the account is no longer possible either."

In other words, victims allegedly cannot contact the hacker by email, nor send the details necessary to unlock their files.

In an email to Motherboard, Posteo said, "Please make no speculations about how high the chances are to decrypt files locked by ransomware if you pay a criminal." The company did not respond to questions asking how victims can contact the hacker.

At the time of writing, around 20 victims have sent just under $5,500 to the hacker's bitcoin address.