Open source ransomware: the worst idea of all time

Feb 4, 2016 22:13 GMT  ·  By

The ransomware variant called Hidden Tear, open-sourced as part of an educational project, was used for at least 24 real-life ransomware strains, as security researchers from Kaspersky have discovered in the past days.

The whole story starts with a Turkish security researcher named Utku Sen, who decided last year to create a few test ransomware families and upload them on GitHub.

Utku Sen and his hobby

At first, the researcher created Hidden Tear, in which he left a hidden encryption flaw. Hidden Tear was later used in the Cryptear.B and Linux.Encoder ransomware families, both of which were cracked by Utku himself and various security firms.

After this happened, ransomware authors moved to abusing EDA2, Utku's second ransomware project. EDA2 didn't include an encryption flaw but came with a PHP backdoor, laced with a backdoor. Despite this, when the whole Magic ransomware debacle happened, this backdoor was useless, and only the malware author's good grace allowed infected victims to recover their files.

To release the encryption keys for free, the author of the Magic ransomware blackmailed Utku and forced him to remove both the EDA2 and Hidden Tear projects from GitHub.

Over 24 Hidden Tear variants detected

Unfortunately, removing the ransomware families from GitHub didn't help at all. Jornt van der Wiel, security researcher from Kaspersky, says that they've found 24 other ransomware families that used some of Hidden Tear's code in their make-up.

One of these families is Trojan-Ransom.MSIL.Tear.c, which was specifically altered to encrypt only files found on the user's desktop.

Another one, Trojan-Ransom.MSIL.Tear.f, also known as KryptoLocker, was asking users to email the ransomware's author for their encryption key and was lying about the type of encryption used to lock the files.

Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h were a little bit more complex because they used C&C (command and control) servers while Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k actually used the same C&C server IP.

There were more, but we won't mention them all since they all contain small updates to the normal Hidden Tear mode of operation.

Some Hidden Tear variants were destroying user files

Some of the few that do stand out are Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, and Trojan-Ransom.MSIL.Tear.q, which encrypted files but forgot to store the encryption key anywhere, effectively losing all the victims' files.

Even worse, all Hidden Tear variants codenamed from Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v used a C&C server located at "example.com," sending encryption keys into thin air, dooming the user's files as well.

The conclusion of all this is that even if security researchers have the best intentions at heart, this will never stop bad guys from abusing their "educational" work.