Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Educational Ransomware Abused by Cybercriminals

A piece of file-encrypting ransomware whose source code was released last year by its author for educational purposes has been leveraged by cybercriminals.

A piece of file-encrypting ransomware whose source code was released last year by its author for educational purposes has been leveraged by cybercriminals.

One of the threats developed using the source code has a flawed encryption mechanism that might make it impossible for victims to recover their files, but the author of the educational ransomware believes he can crack it since his code includes backdoors.

In August 2015, Turkey-based hacker Utku Sen released the source code for Hidden Tear, a tool described as a “ransomware-like file crypter sample which can be modified for specific purposes.” The Hidden Tear source code was accompanied by a legal warning that said the tool should only be used for educational purposes.

As expected, cybercriminals ignored the warning and used the Hidden Tear source code to create their own file-encrypting ransomware. One of these threats is Ransom_Cryptear.B, a piece of malware detected by Trend Micro on a Paraguayan website apparently compromised by a Brazilian black hat hacker.

The compromised website was set up to serve Cryptear disguised as an Adobe Flash Player installer. Once it infects the system, the ransomware changes the desktop background to a ransom note written in Portuguese demanding 2,000 Brazilian reals ($500) from victims.

Cryptear generates a decryption key and saves it in a text file before encrypting the files on the victim’s system. However, since text files are on the list of file types targeted by the ransomware, the decryption key is also encrypted, making it very difficult for users to recover their files even if they pay the ransom, Trend Micro said in a blog post.

Cryptear doesn’t appear to be the only piece of ransomware leveraging the Hidden Tear source code. The Linux ransomware Linux.Encoder, whose encryption mechanism was easily cracked by researchers, is also based on it.

Utku Sen revealed in November that he released the source code for beginners and students who want to understand how ransomware works, but he also designed it as a “honeypot for script kiddies.”

The expert said he intentionally weakened Hidden Tear’s encryption so that files can be recovered without paying the ransom, which has happened in the case of Linux.Encoder. Malware developers released three versions of Linux.Encoder and none of them have a strong file encryption mechanism.

Utku Sen told SecurityWeek that he just learned about Ransom_Cryptear.B, but the expert believes he might be able to decrypt the files if Trend Micro shares the sample with him.

“All my malware codes are backdoored on purpose,” he said via email. “The purpose is to reduce the risk which is caused by script kiddies. I can defeat most of the samples if the antivirus companies ask for my help. Otherwise I need to find the ransomware sample on my own, which takes time. Sometimes I can’t because the crooks sell the ransomware for money.”

Still, security experts believe that releasing the Hidden Tear source code wasn’t a good decision.

“The security industry should be very careful when releasing information that could be used by threat actors. Even if the intentions of security researchers or security vendors are to educate the public, they need to carefully assess the risks prior to the release of possibly harmful information,” Trend Micro said.

Security researcher Yonathan Klijnsma protested the open sourcing of the project from day one and he even filed an abuse report with GitHub to have it removed.

“There is no educational purpose for releasing source code for a piece of ransomware,” Klijnsma told SecurityWeek. “Cryptographic implementations to secure files, sure, ransomware no. We have too much to deal with already, you really don’t want to help anyone in that business.”

Furthermore, the researcher believes that by disclosing how he weakened the crypto implementation, the author of Hidden Tear made it possible for malicious actors to make some changes and create a “proper” ransomware.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.