Hacker behind massive ransomware attack has no access to emails from victims who paid

Hackers behind global cyber attack NotPetya didn't count for one small detail in the plan.

The hacker behind the global ransomware attack can't get emails from those who met his demands because his account has been closed by the German provider.

Several businesses including courier companies, legal firms and even Cadbury were involved in the NotPetya cyber attack, which demanded victims send bitcoin to a predefined address to have their files decrypted and then email him with confirmation.

Once received, the hacker would send a 60-character code made up of letters and digits generated by the malware so they could unlock their files.

"If you see this text, then your files are no longer accessible, because they are encrypted," the ransom message read.

"Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

The hacker's plan was flawless until email hosting company Posteo decided to close the account mentioned in the demands.

"Midway through today we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," the email provider wrote in a blog post on Wednesday.

"Our anti-abuse team checked this immediately - and blocked the account straight away. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases."

This might have seemed like a good way to stop the hacker getting the extortion money, however the move also means the victims now have no way of getting the decryption keys needed to unlock their files.

Idiots...
Blocking email won't stop infections, but it will make victims surely not get back files even if they wanted to pay.
👏 https://t.co/AENHYr9Fly

— MalwareHunterTeam (@malwrhunterteam) June 27, 2017

Do not pay the #Petya ransom. You will not get your files back. The email address used is blocked! @SwiftOnSecurity @thegrugq pic.twitter.com/NOzxLz0vul

— haveibeencompromised (@HIBC2017) June 27, 2017

When asked about how the negative repercussions from removing the chance for those caught in the hack to have their content retrieved, the email company said there was no evidence to suggest paying the ransom would have worked.

"Please make no speculations about how high the chances are to decrypt files locked by ransomware if you pay a criminal. The company did not respond to questions asking how victims can contact the hacker," the company told Motherboard.

While it is still possible for money to be sent to the Bitcoin address, the blocked email will make it logistically impossible for the hackers to make good on their decryption promise.

It is also a good reminder for people to constantly backup their information.

Do you think the company made the right choice? Continue the conversation in the comments below or with Matthew Dunn on Facebook and Twitter.