Skip to main content

It’s already too late for today’s ransomware victims to pay up and save their computers

It’s already too late for today’s ransomware victims to pay up and save their computers

/

The problem with a headline-making ransomware scheme

Share this story

Illustration by Alex Castro / The Verge

After thousands of infections, the new Petya ransomware has run into its first major problem, as a German email provider has blocked the email account the virus was using to manage ransom demands. Victims should be advised not to pay into the wallet, since it’s unlikely the attackers can successfully decrypt systems at this point.

The problem is caused in part by Petya’s unorthodox method for collecting ransom payments. Most ransomware programs create a unique wallet for each infection, making it easy to know which victim is responsible for each payment. But Petya broke with that practice, asking every victim to send their $300 payment to the same single Bitcoin wallet, then send an email to wowsmith123456@posteo.net with a unique identifier to confirm payment and receive the decryption keys.

“We do not tolerate the misuse of our platform.”

But in the wake of today’s globe-spanning infections, Posteo announced today that all account access to the “wowsmith” address have been blocked, making it impossible for the group to read or respond to any messages sent to the address.

“We do not tolerate the misuse of our platform,” the company said in its statement. “The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”

The result leaves victims in an awkward place. Ransomware targets sometimes successfully pay to decrypt their systems, but publicity surrounding high-profile attacks often makes such payments impossible, as it did in the case of WannaCry.

With Petya, it’s unclear if any systems were successfully decrypted before the email was blocked, although roughly 20 ransoms were paid. Companies can still pay money into the Bitcoin address, but with the named email blocked, it will be logistically impossible for the attackers to make good on their promises of decryption.