Security researchers can't decide if publishing open-source ransomware on GitHub is a bad or a good idea

Sep 26, 2016 22:10 GMT  ·  By
New open source ransomware project sparks new discussions in the infosec industry
   New open source ransomware project sparks new discussions in the infosec industry

UPDATE: Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.

CryptoTrooper, an open source kit for building Linux ransomware, has divided the infosec community right down the middle.

The hot potato at the heart of the debate is the same issue that surrounded Utku Sen's EDA2 and Hidden Tear ransomware building kits for Windows. Should security researchers create "ransomware for educational purposes" and should they release them on GitHub?

While you may think the clear-cut answer is "Hell NO!!!," surprisingly, the reality is quite different. A recent Twitter poll has asked users "Is open source ransomware helping improve ransomware detection/prevention, or making it worse?"

The final result was extremely close, with 54 percent for "No, it's not helping," and 46 percent for "Yes, it's helping."

Twitter poll reignites the "open source ransomware" debate

The poll, which became very popular among security researchers on Twitter, collected 513 votes and sparked a lengthy discussion filled with hard nose opinions from both sides.

Here at Softpedia, we cover ransomware news on a regular basis. We wrote about almost all major ransomware families that came out in the past year, including all the EDA2 and Hidden Tear spawns.

Those projects were, just like CryptoTrooper, launched with "educational" purposes in mind, to show other infosec researchers how ransomware works.

Open source ransomware has a bad track record

This didn't stop ransomware operators from using them as the basis for their malicious code. Taking a look retrospectively at the last year, Hidden Tear was used for 12 ransomware families (8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction), while the EDA2 project was used for 10 ransomware families (Brazilian, DEDCryptor, Fantom, FSociety, Magic, MM Locker, SkidLocker, SNSLocker, Strictor, and Surprise).

Even if Sen, the Turkish security researcher who coded them, left backdoors in Hidden Tear (encryption) and EDA2 (web backend panel), crooks caught on and patched his code.

In fact, the reason Utku removed both projects from GitHub is because the author of the Magic ransomware had a sudden change of heart and decided that "open source ransomware is bad" and blackmailed Sen to remove the repositories.

At the time, everyone got on Sen's back, criticizing him for his decision to put the code on GitHub, where crooks could also fork it for their own nefarious purposes. Very few supported Sen's point of view, that the projects helped security vendors get an insight into how ransomware worked.

CryptoTrooper plagued by Hidden Tear / EDA2's reputation

While few knew that the CryptoTrooper project existed on GitHub for around seven months, the recent Twitter poll brought back the same discussions that had been carried out at the start of the year.

If we add the 12 + 10 new Hidden Tear and EDA2 ransomware variants that gave security researchers headaches in the past few months, we aren't surprised that some researchers have spoken out against Maksym Zaitsev, CryptoTrooper's creator.

Of course, when the poll ended a few hours before this article's publication, we were all stunned. Nobody expected this to be such a close race.  

The security researchers Softpedia has spoken to were all against the idea that open source ransomware does any good. Not even one supported Zaitsev's point of view.

The only one that agreed to go on record was Fabian Wosar, Emsisoft malware analyst and well-known "ransomware enemy #1." In fact, Wosar has cracked so much ransomware and created so many free decrypters that, at one point, malware coders just named their ransomware after him: Fabiansomware.

"The majority of things that claim to be for educational purposes aren't for educational purposes," Wosar told Softpedia. "I also don't subscribe to the philosophy that you need to know how to mess stuff up to be able to repair it. Haven't seen any trauma surgeon running around shooting people in the stomach to 'learn how to do stuff properly'."

Zaitsev is not a popular figure right now

Other researchers declined to provide any type of comment because they just couldn't say something nice. A researcher who wanted to remain anonymous called CryptoTrooper a "completely retarded idea."

"I wish people could be held accountable for the [expletiev] they put on GitHub," he also added, "even if someone else weaponized it."

Another researcher, also speaking anonymously, couldn't believe the poll result. "Impossible that half of [the] voters said yes," the researcher gawked. "Scary... Hopefully they just chose yes just for joking or something like that."

Another researcher called Zaitsev "misguided," while another one just flat out insulted him.

A fifth researcher didn't see anything wrong with Zaitsev creating the project, but had a problem with him putting it on GitHub, where everyone can get it. [E]ducational 'X' is good, until you share it on Github..." he said.

Zaitsev, for his part, was very firm on his position to continue work on the project and leave it on Github, regardless of what people voted.

CryptoTrooper is a very powerful, but broken ransomware

He says that CryptoTrooper is an experiment in ransomware creation. The project doesn't use the regular encryption schemes employed by most ransomware families today, but deploys a white-box encryption mechanism reminiscent of DRM protection schemes.

"CryptoTrooper uses AES encryption correctly to encrypt the files," Zaitsev told Softpedia. "This is a symmetric encryption, which requires a key, but by simply leaving it on the victim's machine, it becomes totally useless since the victim can perform the reverse procedure and decrypt the files easily."

"Here is where the white-box encryption comes into place," he emphasizes. "White-box encryption, to put it in a nutshell, is irreversible symmetric encryption, which means that it can encrypt with a special white key, but it can't decrypt it with the same key, and it's very interesting in the context of ransomware."

Open-sourcing something like this on GitHub looks like a very bad idea. But it's not, according to Zaitsev, who took the precautionary step to remove key parts of the CryptoTrooper code.

No danger in the CryptoTrooper repo, Zaitsev says

"[The] white-box [encryption] construction is broken (not the implementation, but the algorithm itself), thus the ransomware presents ABSOLUTELY NO THREAT AND NO INTEREST FOR MALICIOUS PURPOSE," Zaitsev wrote on GitHub, and also confirmed to Softpedia via a Twitter conversation.

Nevertheless, the researcher got skewered on Twitter for his work, most likely because of Sen's past shenanigans.

"My tool teaches a lot of things and most importantly - motivates the research in order to defeat the ransomware the right way," Zaitsev said. "I think that by releasing a PoC that practically proves the errors is a way to force people to change their minds, just like releasing an exploit."

By releasing CryptoTrooper, I show that all widely used techniques will fail at defeating it. Ransomware can't be treated as simple malware. It requires a different approach

The same point of view seems to be shared by Utku Sen. "Two things need to be changed on fighting ransomware: our methods and the public point of view," Sen wrote in an email to Softpedia.

Sen supports Zaitsev's efforts

"There are two main benefits of -intentionally flawed- open source ransomware. When criminals use these codes, we can decrypt them via our backdoors. Of course not every criminal will use this code, but eventually people will start to think that ransomware can be decrypted, and eventually they will stop to pay the ransom money," Sen said. "With this method, we can stop the money flow and damage the criminal's motivation."

"The other benefit is, open source ransomware almost destroyed the ransomware code-selling business," Sen added. "Last year there were lots of entries on darknet forums, markets, etc.. Now it's almost zero because of Hidden Tear and EDA2."

But Sen's plans go much deeper. "Hidden Tear and EDA2 were small experiments for this theory. They went well except the Magic ransomware incident. That happened because of a miscalculation," Sen said. "The main reason was that these projects started with a zero budget, and I planned everything by myself."

"In the future, these kind of projects need to be supported by governments & big companies, and should be planned with a large group."

Small chances of seeing CryptoTrooper infections in the near future

Unfortunately, the division of opinion in the infosec community will not help Sen's utopian point of view.

The neutered CryptoTrooper doesn't look like a danger to Linux systems right now, but given time, a ransomware operator might figure out the missing parts, and we'll see how this plays out.

Taking into account the high level of cryptography knowledge needed to weaponize CryptoTrooper and the small Linux OS market share, this seems highly unlikely. Porting CryptoTrooper for Windows requires a complete rewrite.

"Assembly instructions are different on every OS," Zaitsev said. "You will need to reverse engineer it to source code, which is a very time consuming task. The amount of work and skills is just uncountable."

If you want to be safe regardless, projects like Cryptostalker can help users keep cryptographic operations on their Linux machines in check, and might be an early defense against ransomware infections. For Windows, a similar system is CryptoDrop, but this is still in development.

In the meantime, most security researchers will likely identify and agree with this tweet.