A new ransomware based on open-source code has been spotted in the wild recently, and encrypts user files and ads a “.magic” extension to them, researchers warn.
Dubbed "Magic" by the security firm, the malware is based on open-source ransomware called eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.
Ransomware has become a highly rewarding business for cybercriminals, with some interested in building their own malware. Adopting open-source ransomware is a fast way to do that, and the Magic ransomware is proof that perpetrators would do whatever it takes to achieve their nefarious goals.
Magic is the second ransomware discovered this month to have been built upon ransomware created for educational purposes. Earlier this month, Trend Micro discovered that a newly created threat called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.
Hidden Tear code was used in other malware as well, including Linux.Encoder, which was discovered back in November to pack an encryption flaw that allowed researchers to crack its encryption algorithm. Last week, Utku Sen said that he managed to break the encryption of Cryptear.B because he intentionally weakened the encryption in Hidden Tear fearing that cybercriminals might abuse it.
Based on the eda2 ransomware kit, the newly discovered Magic malware appears to be the work of low-skilled hackers, Bleeping Computer’s Lawrence Abrams explains in a blog post. However, the kit includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.
Researchers haven’t yet established how Magic is being distributed, but assume manual distribution via hacked terminals services or remote desktop. The ransomware stores the AES keys used to encrypt files on the C2 servers, but also uses a RSA public key to encrypt them before sending them to the server.
Because the actors using the Magic ransomware are not advanced enough, they use C2 servers hosted on free web sites services, which means that they can be easily taken down. However, there’s a risk that the free web hosting provider may delete the decryption key databases before security researchers could access them, meaning that victims lose the ability to retrieve their keys.
The ransomware is capable of encrypting a wide array of file extensions and appends the .magic extension to any encrypted file, but it won’t encrypt files located in directories that contain the string $, C:\Windows, or c:\program. After completing the encryption process, it creates the deleteMyProgram.bat batch file and execute it, an operation that uses vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.
The ransomware also places ransom notes on the desktop, providing victims with information on what has happened and on what they need to do to decrypt their files. The actors behind the ransomware use a static bitcoin payment address, which has had no payments sent to it as of yet.