Security Experts:

Malware Developers Blackmail Creator of Open-Source Ransomware

Developers of the recently discovered open source-based “Magic” malware are blackmailing the creator of Hidden Tear and EDA2 , so-called educational ransomware, in order to force the developer to abandon the projects.

Utku Sen, a Turkey-based hacker announced that he has already removed all the files and commits of the EDA2 project after discovering that he made an error that no longer makes it possible for users to retrieve their data for free.

However, the group behind the Magic ransomware began blackmailing Sen in an effort to shut down Hidden Tear as well, saying in a forum post that they are willing to provide affected users with the decryption keys for free, if Sen agrees to take down all of his open source ransomware projects. He initially refused to give into the blackmail attempts, but later on Tuesday said he would "take down tear in 3 days." He had already promised to both help people affected by the malware and to fight the cybercriminals behind it at the same time.

Sen published Hidden Tear and EDA2 in open source to offer the community a glimpse into what ransomware is all about. He also decided to include a series of flaws in the code to ensure that if cybercriminals used his project in nefarious activities, he would be able to sabotage them and help users regain access to their data.

However, while this worked out in the case of Hidden Tear and an encryption flaw allowed security researchers crack the encryption algorithm of Linux.Encoder and Cryptear.B, things didn’t go as well with EDA2. The ransomware does not include security flaws, but the control script does have some security vulnerabilities, to allow Sen access the database.

Magic, which was created using EDA2 code, sends the AES encryption keys to the Command & Control (C&C) server, but also encrypts them using a RSA public key before that. The actors behind the ransomware used C&C servers hosted on free web sites services, making the database easily accessible, but they switched to new hosting services, and the original provider deleted the database.

The vulnerabilities in EDA2’s control script should have provided Sen with the possibility to retrieve decryption keys and help users decrypt their files without paying the ransomware. However, the operation relied on the database being accessible, which became an issue once the C&C servers and the decryption keys were deleted.

According to Sen, his main mistake was that the decryption key database was left in criminals’ hands, and that there was no way other people could retrieve a copy of it. A backdoor that could have copied the database to another server would have helped in the event of account suspension even if the cybercriminals would have lost access to the data.

While the intentions of the people blackmailing Sen are yet unclear, it appears that they might indeed be in possession of the decryption keys needed to recover files encrypted by the Magic ransomware. One user complaining in the aforementioned forum thread received such a decryption key and managed to restore their files.

Based on the forum posts, it appears that the Magic ransomware developers are not seeking financial gain, but want the removal of Hidden Tear project from the web, as the malware itself was only “an experiment.” They also say they would agree to help victims if Sen removed Hidden Tear and didn’t come up with new projects.

The release of open-source ransomware wasn’t received well in the first place, as many feared it would be used for nefarious purposes, but it is unclear why malware developers would want such projects be terminated. Sen suggests in a forum post that it could be a political move: these actors being Russians, wanted to flame him, who is Turkish.

While the Magic developers did not comment on their reasoning behind trying to shut down the open-source ransomware, they did say they are willing to unconditionally help victims. Infected users should email viper1990[at]safe-mail[dot]net in the next 15 days to receive their decryption keys.

As Scott Gainey, Senior Vice President and Chief Marketing Officer at SentinelOne, explains in a recent SecurityWeek column, ransomware is a highly rewarding business model for cybercriminals and this type of malware is now a threat to both consumers and enterprises. Attacks are easy to carry out, Bitcoin payments offer anonymity to attackers, and profits are high. 

*Updated to reflect Sen's agreement to take down Tear.

view counter