Over the past couple of years, security experts have gotten accustomed to dealing with ransomware breeds that pursue solely malicious goals. These are intrinsically profit-oriented pieces of code that circulate covertly, encrypt their victims’ files and demand a fee to make the badly mutilated data accessible again.
Utku Sen, a researcher and security enthusiast from Turkey, ventured to turn this state of affairs upside down. He came up with two unique proofs-of-concept called the Hidden Tear and Eda2 back in August 2015. Both were fully functional crypto malware samples, which the author claims to have created as exclusively educational projects so that other analysts could see how these infections actually operate.
The programmer never concealed the acknowledgement that his source code could also be used by individuals and groups seeking easy profit. This turned out to be a correct prediction. Different cyber rings ended up producing as many as 24 builds of ransomware based on Sen’s projects during a five-month time span. The reasons are obvious: the crooks needn’t invest in development of their own and they don’t have to pay the affiliate fee in the increasingly popular “Ransomware as a Service” models.
Fortunately, the original variant of Hidden Tear had a built-in backdoor that would allow security researchers to derive all the necessary file decryption details from the timestamps of locked files in the worst-case scenario. For Eda2, Utku Sen added a vulnerability aimed at providing access to the database of encryption keys.
The open-source ransomware employs AES cipher and only encodes files stored in “\test” directory on the Desktop. Of course, the fraudsters modified this rule so that other personal files would be subject to the crypto attack as well. The dropper is 12 KB, which per se facilitates the Trojan propagation routine.
The first infection developed with Hidden Tear source code was Linux.Encoder, which pioneered in the domain of Linux-specific ransomware. Then, Cryptear.B came on stage. Owing to the above-mentioned backdoor, these were cracked and the contaminated users were capable of restoring their frozen files. There was also KryptoLocker, which represents the so-called Trojan-Ransom.MSIL.Tear cluster also consisting of multiple similar samples. These were awfully unprofessionally implemented for the most part – some didn’t even store the decryption keys in any way.
The most infamous derivative, though, was the Magic Ransomware built with Eda2. Its operators defiantly blackmailed Utku Sen into closing down both of his open-source projects, otherwise they threatened to erase all the recovery keys and thus make the victims irreversibly lose their data. While the crims’ motivations for acting like this are unknown, they did achieve their goal – Hidden Tear and Eda2 aren’t publicly available anymore.
This educational initiative, obviously, didn’t end well. A lot of infected people paid ransoms. Some will never get their sensitive files back. It turns out that the aphorism that says, “The road to hell is paved with good intensions” may apply to the cybersecurity realm as well.
- Petya ransomware removal and system recovery (upd. June 27)
- Sorebrect ransomware – fileless malware exploits PsExec utility
- Remove MOLE02 ransomware virus and decrypt .mole02 files (upd. June 15)
- Erebus ransomware infects Linux web servers in South Korea
- Decrypt .master ransomware files – BTCWare virus variant