Victims of Petya, the latest ransomeware cyber attack, are now left with no recourse to get their files back.
Posteo, the host of the crooks email account (firstname.lastname@example.org), has just announced it has closed the perpetrators email down completely. Unfortunately, this email was the only method of communication those who lost their files could use to get their digital property back.
This is incredibly inconvenient for any user, but absolutely catastrophic for some who have been targeted, including several European banks, airlines, train stations, and medical offices.
This email address was crucial
The email displayed as part of the ransom note below was the only method of contacting the attacker. Victims have to follow instructions by paying $300 and supplying their bitcoin wallet ID in order to get their information unencrypted.
The Petya developer will verify that the victim made a Bitcoin payment from the emailed wallet ID, and then supply a decryption code based on the victim’s supplied ID.
However, now that this email is down, users face the incredible reality that they may never see their files again.
According to Posteo, the Petya author can no longer access this email address, and victims cannot send anything to the email@example.com inbox.
Email provider followed normal procedures
The email provider says it followed normal procedures in these types of abuse cases and shut down this address around 5:15 PM CET after it learned it was part of a ransomware scheme, but before it found out it was part of the massive Petya outbreak.
The company says it is in contact with the country’s Federal Office for Security in Information Technology. Bleeping Computer has reached out to Posteo to find out if the advice to block access to this email address came from law enforcement or was Posteo’s own doing.
In normal circumstances, law enforcement won’t take down servers and email addresses used in ransomware operations, as not to hurt victims that want to pay and recover data. Shutting down such servers and emails aggravates ransomware infections many times over, as some victims won’t be able to recover precious files.
The entire situation is akin to the WannaCry outbreak, when security products blocked access to the WannaCry killswitch domain, allowing the ransomware to spread further, even after it was neutered.