An email provider being used by the perpetrators of a global ransomware attack today shut off the hackers’ access to the account, blocking the main avenue by which victims could regain access to their files.
Today’s attack marked the second time in as many months that hackers have launched sophisticated, international ransomware campaigns based on EternalBlue, an exploit purportedly stolen last year from the National Security Agency and leaked to the public.
The German firm Posteo published a blog entry this afternoon announcing its security specialists had identified one of their accounts which was being used by the hackers to collect on $300 (USD) ransom demands from each victim.
“Our anti-abuse team checked this immediately – and blocked the account straight away,” the blog states. “We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”
According to Posteo, the blackmailers have not been able to access the account since midday (Central European Summer Time).
Also since that time, it has been impossible to send emails to that address, which is the designated point of contact for obtaining decryption keys.
The ransomware instructions provide victims with bitcoin wallet IDs.
After transferring the funds, the victim is directed to send proof in the form of the bitcoin wallet ID and a “personal installation key,” a unique, 60-character series of letters and numbers that allows the hackers to send back the appropriate decryption key.
In some unfortunate scenarios, victims unaware of the locked email could pay the ransom in bitcoin, only to learn later that they are unable contact the hackers.
There was no immediate word from the hackers Tuesday evening about a workaround.
Send tips and news to [email protected].