Educational Ransomware Abused by Cybercriminals

A piece of file-encrypting ransomware whose source code was released last year by its author for educational purposes has been leveraged by cybercriminals.

One of the threats developed using the source code has a flawed encryption mechanism that might make it impossible for victims to recover their files, but the author of the educational ransomware believes he can crack it since his code includes backdoors.

In August 2015, Turkey-based hacker Utku Sen released the source code for Hidden Tear, a tool described as a “ransomware-like file crypter sample which can be modified for specific purposes.” The Hidden Tear source code was accompanied by a legal warning that said the tool should only be used for educational purposes.

As expected, cybercriminals ignored the warning and used the Hidden Tear source code to create their own file-encrypting ransomware. One of these threats is Ransom_Cryptear.B, a piece of malware detected by Trend Micro on a Paraguayan website apparently compromised by a Brazilian black hat hacker.

The compromised website was set up to serve Cryptear disguised as an Adobe Flash Player installer. Once it infects the system, the ransomware changes the desktop background to a ransom note written in Portuguese demanding 2,000 Brazilian reals ($500) from victims.

Cryptear generates a decryption key and saves it in a text file before encrypting the files on the victim’s system. However, since text files are on the list of file types targeted by the ransomware, the decryption key is also encrypted, making it very difficult for users to recover their files even if they pay the ransom, Trend Micro said in a blog post.

Cryptear doesn’t appear to be the only piece of ransomware leveraging the Hidden Tear source code. The Linux ransomware Linux.Encoder, whose encryption mechanism was easily cracked by researchers, is also based on it.

Utku Sen revealed in November that he released the source code for beginners and students who want to understand how ransomware works, but he also designed it as a “honeypot for script kiddies.”

The expert said he intentionally weakened Hidden Tear’s encryption so that files can be recovered without paying the ransom, which has happened in the case of Linux.Encoder. Malware developers released three versions of Linux.Encoder and none of them have a strong file encryption mechanism.

Utku Sen told SecurityWeek that he just learned about Ransom_Cryptear.B, but the expert believes he might be able to decrypt the files if Trend Micro shares the sample with him.

“All my malware codes are backdoored on purpose,” he said via email. “The purpose is to reduce the risk which is caused by script kiddies. I can defeat most of the samples if the antivirus companies ask for my help. Otherwise I need to find the ransomware sample on my own, which takes time. Sometimes I can’t because the crooks sell the ransomware for money.”

Still, security experts believe that releasing the Hidden Tear source code wasn’t a good decision.

“The security industry should be very careful when releasing information that could be used by threat actors. Even if the intentions of security researchers or security vendors are to educate the public, they need to carefully assess the risks prior to the release of possibly harmful information,” Trend Micro said.

Security researcher Yonathan Klijnsma protested the open sourcing of the project from day one and he even filed an abuse report with GitHub to have it removed.

“There is no educational purpose for releasing source code for a piece of ransomware,” Klijnsma told SecurityWeek. “Cryptographic implementations to secure files, sure, ransomware no. We have too much to deal with already, you really don’t want to help anyone in that business.”

Furthermore, the researcher believes that by disclosing how he weakened the crypto implementation, the author of Hidden Tear made it possible for malicious actors to make some changes and create a “proper” ransomware.