Posteo, the email provider where the Petya author is hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account:

The German email provider's decision is catastrophic news for Petya victims, as they won't be able to email the Petya author in the case they want to pay the ransom to recover sensitive files needed for urgent matters.

This email address was crucial

This email address is displayed in Petya's ransom note as the only way to contact the Petya author. Victims have to pay the ransom and send an email with their Bitcoin wallet ID and infection key to the author.

Petya ransom note

The Petya developer will verify that the victim made a Bitcoin payment from the emailed wallet ID, and then supply a decryption code based on the victim's supplied ID.

With this email down, victims are now facing the incredible situation of having lost access to files stored on their computers.

Based on Posteo's explanation, the Petya author won't be able to access this email address, while victims won't be able to send new emails to the inbox.

Email provider followed normal procedures

The email provider says it followed normal procedures in these types of abuse cases and shut down this address early in the morning after it learned it was part of a ransomware scheme, but before it found out it was part of the massive Petya outbreak.

The company told Bleeping Computer it is in contact with the country's Federal Office for Security in Information Technology "to make sure that we react properly."

Posteo also said it followed procedures as detailed on the No More Ransom FAQ section. Unfortunately, those instructions were written for victims, and not email providers whose infrastructure was abused by ransomware operators.

In normal circumstances, law enforcement won't take down servers and email addresses used in ransomware operations, as not to hurt victims that want to pay and recover data. Shutting down such servers and emails aggravates ransomware infections many times over, as some victims won't be able to recover precious files.

The entire situation is akin to the WannaCry outbreak, when security products blocked access to the WannaCry killswitch domain, allowing the ransomware to spread further, even after it was neutered.

Article updated with comments from Posteo.

Bleeping Computer Petya/NotPetya coverage:

Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

Related Articles:

Gmail Bugs Allow Changing From: Field and Spoofing Recipient's Address

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message