Petrwrap ransomware attacks rage, victims pay Bitcoin ransom and find out they were scammed

The ransomware "WannaCry" previously caused a sensation for attacking hundreds of thousands of computers around the world. On June 27, computers in many European countries suffered similar attacks. A variant of ransomware called "Petrwrap" invaded thousands of computers in many companies and government departments. Ukraine was the worst hit. Ukraine's power grid, government offices, and banking institutions including the central bank, the National Bank of Ukraine, were attacked.

Similar to WannaCry, the developers and operators behind the Petrwrap ransomware also demanded that the victim pay $300 in Bitcoin before the attackers would send the decryption key to the victim.

According to images obtained by Business Insider, the information released by the developers of the Petrwrap ransomware includes a single Bitcoin address and a payment request for $300 in Bitcoin.

Because the Bitcoin blockchain is open, transparent and decentralized, anyone on the network can freely track Bitcoin wallet addresses and their transaction information. According to the transaction information provided by the Blockchain.info blockchain browser, the developers of the Petrwrap ransomware have received 45 Bitcoin ransoms from victims so far, with a value of more than $10,000.

However, an announcement from German email service provider Posteo shows that all email addresses associated with the Petrwrap ransomware attack have been shut down.

The Posteo team mentioned in the announcement:

"Our legal team immediately checked the email addresses and the mailboxes were immediately blocked. We do not tolerate abuse of our platform: we generally take immediate action to terminate the service for email abuse such as this. After blocking the mailboxes, there were no more ransomware reports."

At present, it seems that Posteo has most likely received a notice from the German regulator requiring it to terminate or at least suspend email addresses associated with criminal activities. Therefore, after discovering that someone used Posteo email addresses to carry out the global Petrwrap ransomware attack, the Posteo team blocked several email addresses listed in the Petrwrap ransomware email.

However, the main issue raised by Posteo’s decision is that victims who paid the hackers a $300 Bitcoin ransom will not receive a decryption key because Petya’s developers no longer have access to their email addresses.

That is, the Petrwrap ransomware team cannot identify who sent the ransom to the Bitcoin receiving address.

In Posteo's opinion, the decision to block email addresses could benefit those who have not been hit by the Petrwrap ransomware and dissuade victims from paying the attackers. However, the developers of Petrwrap can easily change the email information in the ransomware.

Regardless, Posteo’s decision to terminate the ransomware email address is detrimental to both attackers and victims, as it eliminates the possibility of victims receiving decryption keys.

In February of this year, the Federal Bureau of Investigation (FBI) advised ransomware victims not to pay Bitcoin ransoms for ransomware attacks because no one can guarantee that the ransomware attackers will provide the decryption key. The FBI stated in the announcement:

"The FBI does not recommend that victims pay ransoms to attackers. Paying a ransom does not guarantee that victims will regain access to their data, and in fact, some individuals or organizations have not been able to obtain decryption keys after paying the ransom."