14 DAY TRIAL // The author of the Magic ransomware strain has agreed to release all decryption keys for free, if Utku Sen, a Turkish security researcher, takes down his Hidden Tear open-source ransomware project from GitHub.
Utku Sen has become really famous in the infosec community as of late, after he released the source code of two ransomware strains as open source projects on GitHub.
The open source ransomware debacle
The first project he created was named Hidden Tear, and malware operators used it to create the Cryptear.B ransomware family. Unfortunately for the malware operators, the ransomware's encryption contained an encryption flaw, left intentionally by Utku in its source code, which allowed him and other security researchers to help victims decrypt their locked files without paying the ransom.
The second project was the EDA2 ransomware, which didn't contain an encryption backdoor, but came with a fully-working C&C server admin panel, which contained a backdoor account.
This second project was used for the Magic ransomware family. The problem is that the operator of this ransomware campaign decided to host the C&C server admin panel on a free hosting provider's infrastructure. Once the hosting provider discovered what the malware operator was up to, it shut down and deleted his account, inadvertently deleting the database with all the encryption keys.
Utku Sen publicly apologized for this incident, and then removed the EDA2 ransomware project from GitHub, but with no doubt, the project is still shared via underground forums and black markets.
A happy ending for Magic ransomware victims, but...
As it turns out, the Magic ransomware author had a backup of some of the encryption keys, before the hosting provider deleted his account.
Impressed by the story of a user who lost pictures of his newborn son, the Magic ransomware's author decided to release this user's encryption key for free.
The ransomware's operator then had a sudden change of heart and decided that he'd release all encryption keys for free, without requiring Bitcoin payments, if Utku Sen would take down the Hidden Tear project and also pay him 3 Bitcoin (around $1,200 / €1,100).
After further negotiations from Bleeping Computer's Lawrence Abrams, the Magic ransomware author cut down his demands, and only asked for Utku Sen to remove the Hidden Tear GitHub repo.
The researcher refuses to cooperate, blames the Russia-Turkey political crisis
Since there was no official answer posted online yet, Softpedia contacted Utku who provided the following statement:
"When I checked their code I saw lots of Putin supporting statement in Russian. I think that they are doing this bad stuff just for blaming me because I'm a Turkish guy. It seems all about politics as they said the same thing on the [Bleeping Computer] forum."
"I talked with them. They said Magic ransomware was for letting me know their power [in the] community. They asked for me to take down Hidden Tear. Maybe because Hidden Tear project has damaged their business because they are selling ransomware."
"They didn't tell me any reason, so I refused. Because I know that if I accept this demand, they will demand something more since it's political. I will work hard on beating their implementation because they still didn't find my backdoor."
Yes, there were clues in some of the ransomware's author posts (as user jeanclaudevandan) on the Bleeping Computer support thread for Magic ransomware victims, which showed he might have something against Turkey, so Utku's answer can be justified. Additionally, let's not forget the ongoing political crisis between Russia and Turkey. If Vladimir Putin and Recep Tayyip Erdoğan could not negotiate an agreement between the two countries, we should not hold these two to much higher standards either.
In the past month, we've seen an increase of cyber-incidents between the two countries. There's a palpable grudge between these two nations, and it's also spewing online, where victims of the Magic ransomware will indirectly pay the price by not having their encryption keys released.
UPDATE: After further discussions, the blackmail attempt turned into full-on negotiations, but Utku Sen and the ransomware operator have come to an agreement. Utku will take down the Hidden Tear repository in three days while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days. Victims should email the ransomware operator at [email protected].