Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New EDA2-Based Ransomware Easily Neutralized

A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.

A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.

This piece of cyber-ransomware encrypts users’ data using AES encryption, after which it appends the .locked extension to them. The malware then drops ransomware notes on the infected computers and informs users that they need to pay .5 bitcoins to get their files back.

The ransomware spread via a link associated to a YouTube video detailing a Far Cry Primal crack, which claimed to be a link to the video game crack. However, the file was laced with ransomware and as soon as it was executed it would encrypt users’ files instead.

Bragging about his ability to infect computers with the ransomware, the developer also said in the ransom note that he would never get caught and that any attempts by users to get help from the community would be futile.

As it turns out, the ransomware infected over 650 computers, though only three victims paid the ransom to date, an analysis of the Bitcoin wallet associated with this campaign revealed. The good news is that all victims can recover their files for free, because the malware developer made some major mistakes.

One was their attempt to shame victims while bragging about their superior skills, while the other was the use of EDA2’s code to build the ransomware. Created by Utku Sen last year and available in open source for several months, this ransomware was designed for educational purposes and included a backdoor in the command-and-control (C&C) server code.

Once the new piece of malware was discovered to have been built based on EDA2, Sen was contacted to use the backdoor to connect to the C&C server. Soon after, he announced that he was able not only to retrieve all the keys from the malware author’s server, but also to convert them into proper decryption keys.

The decryption keys were immediately published online and victims can use them, along with the Hidden Tear Decryptor, to restore their files, as detailed in this forum thread. The ransomware appears to be no longer working, with its C&C server also said to have been shut down.

Advertisement. Scroll to continue reading.

This is only one of the ransomware variants that spawned from EDA2 and Hidden Tear, the two pieces of educational ransomware created by Utku Sen. Some of the most used of such variants include Magic, Linux.Encoder, and Cryptear.B, yet the security flaw included in the original code allowed researchers easily create decryption tools.

Soon after news on these security vulnerabilities emerged, the group behind the Magic ransomware began blackmailing the creator of Hidden Tear and EDA2 in an attempt to have both open-source malware variants taken offline. Sen pulled the code for both and also committed to helping users who fell victims of ransomware based on his creations. 

Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.