Ransomware Victims Pay $9,000 in Bitcoin, Receive No Decryption Keys

On June 27, global ransomware Petya encrypted the computers of victims concentrated in Europe, including the Ukrainian government, banks, a Russian oil company, British advertising company WPP and other organizations internationally.

Sources revealed that the developers and distributors behind the Petya ransomware demanded individual victims to pay $300 in bitcoin in return for a personal decryption key that is necessary to recover files from devices infected by the ransomware.

Business Insider obtained a photograph which showed the message distributed by the developers of Petya, including a single bitcoin address and request for a $300 bitcoin payment.

Because the public bitcoin blockchain is transparent and decentralized, anyone within the network can openly track bitcoin wallet addresses and their transactions stored within bitcoin blocks. According to Blockchain, the most widely utilized blockchain explorer and bitcoin wallet platform with more than 15 million wallets launched, the developers of the ransomware have received over $10,000 in bitcoin ransom to date from 45 victims.

However, an announcement from Posteo, a German email service provider, revealed that email addresses associated with the Petya ransomware attack have been closed and terminated immediately after the Posteo legal team was informed that its email addresses were being used to finance a global ransomware attack.

A rough translation of the Posteo team’s announcement read:

“Our legal team checked this immediately – and the mailbox was immediately blocked. We do not tolerate any misuse of our platform: The immediate termination of abused mailboxes is a usual procedure of providers in such cases. At the time of the blocking, there was no reporting on the ransomware.”

It is likely that Posteo is required by existing German regulatory frameworks to terminate or at least temporarily suspend email addresses that are suspected of being involved in criminal activities. Hence, upon the discovery of the association of Posteo email addresses with the global Petya ransomware attack, the Posteo team blocked several email addresses listed on the Petya ransom email.

One major issue with Posteo’s decision to block email addresses associated with the Petya ransomware attack is that the victims that have paid the $300 bitcoin ransom to receive their decryption keys and recover their files can no longer receive the decryption keys because the developers of Petya can not gain access to their email addresses.

Thus, the Petya ransomware team can not identify who has sent the desired ransom payments to its bitcoin address and victims that have paid more than $10,000 will not be able to receive their decryption keys.

Posteo might have thought that its decision could be beneficial to those who have not been infected or affected by the Petya ransomware as it discourages victims from paying the $300 ransom to the distributors of the Petya ransomware. However, the developers of Petya can easily alter the messages distributed by its ransomware to its victims and simply utilize a different email address to extort bitcoin ransom from its victims.

Either way, Posteo’s decision to terminate the email addresses of the Petya ransomware development team fails to benefit both parties as it eliminates the possibility of victims from receiving their decryption keys.

For this reason, in February, the Federal Bureau of Investigation (FBI) recommended victims of ransomware not to pay the bitcoin ransomware as it is not guaranteed that the ransomware distributors will release decryption keys; the public announcement stated:

“The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom.”