14 DAY TRIAL // A ransomware developer that appears to be located in Poland was humiliated by security researchers after claiming to be untouchable and impossible to find.
The first signs of his ransomware campaign were spotted two days ago by Malekal Morte, a security researcher who later discovered that the malware developer was spreading the ransomware via a YouTube video advertising a Far Cry Primal crack.
Obviously, the YouTube video description contained a link to the Far Cry crack, which was laced with his ransomware. When executed, this ransomware would encrypt the user's files using AES encryption, append the "locked" extension to all encrypted files, and then ask for a payment of 0.5 Bitcoin (~$200 / ~€180).
Mildly annoying ransom note gets security researchers mad
This is your typical ransomware behavior these days, but what got the security researchers angry was the ransom note left on all infected computers.
In the note, the ransomware developer was trying to shame victims, explain his behavior, and boasting that he's never going to get caught. The tone of the message did not sit well with the infosec community, and multiple researchers banded together to analyze the ransomware strain.
It was soon discovered that the "all so perfect" and "do no wrong" developer actually used the open source EDA2 project to build his ransomware. This was his fatal mistake.
Ransomware encryption keys recovered via hidden backdoor
EDA2 is an open-source ransomware which was made available via GitHub for a few months during 2015 and 2016. There was a huge scandal about it at the start of the year, and we'll guess that the Polish ransomware developer didn't know about.
We say this because in that scandal, it came to light that the developer of EDA2 left an intentional backdoor in the ransomware's C&C server code.
The security researchers investigating this latter case got in contact with Utku Sen, EDA2's author, who then used his backdoor to access the crook's servers and steal all the ransomware encryption keys that were used to lock up user files.
Mr. Sen then proceeded to decrypt the encryption keys and has in the meantime made them available via a Dropbox file. Users that need further assistance can also ask for it via this Bleeping Computer forum thread.
There are 656 decryption keys in the Dropbox file, meaning the same number of affected users, but the good thing is that only three people have paid the ransom, according to the Bitcoin wallet stats associated with this campaign.
At the end of the day, security researchers were just happy to serve the pompous ransomware developer a big fat slice of humble pie.
Hey ! There is a challenge "Police will never be able to find me." https://t.co/JYXe4qTzKU — Malekal's site (@malekal_morte) March 9, 2016
the video https://t.co/90XUOOWaxC with malicious link - connect to Poland DSL IP 83.27.145.91:15962 @CERT_Polska pic.twitter.com/qJZu98EgJU — Malekal's site (@malekal_morte) March 9, 2016
@utku1337 @malwrhunterteam @BleepinComputer @Techhelplistcom @DanielRufde comes from far cry crack via youtube vid pic.twitter.com/hE5XV7tmV2 — Malekal's site (@malekal_morte) March 9, 2016
got private keys with my backdoor. published them here. https://t.co/RxjA0MNKA0 @malwrhunterteam — Utku Sen (@utku1337) March 9, 2016