Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Encryption Flaw Used to Crack Cryptear Ransomware

The author of the open source ransomware named “Hidden Tear” claims he has managed to break the encryption of Cryptear.B, a threat built using his code.

The author of the open source ransomware named “Hidden Tear” claims he has managed to break the encryption of Cryptear.B, a threat built using his code.

Turkey-based security researcher Utku Sen released in August 2015 the source code of Hidden Tear, a piece of file-encrypting ransomware designed for educational purposes. Since he suspected that his creation might be abused by cybercriminals, Sen intentionally weakened the encryption in Hidden Tear so that victims could recover their files without paying the ransom demanded by malicious actors.

One of the threats based on Hidden Tear is Linux.Encoder, the first ransomware designed to target Linux systems. Researchers at Bitdefender cracked Linux.Encoder’s encryption for each of the three versions released by cybercriminals.

Last week, security firm Trend Micro reported finding another piece of ransomware based on Hidden Tear. The threat, detected as Ransom_Cryptear.B, demanded 2,000 Brazilian reals ($500) from victims using a ransom note written in Portuguese.

The problem with Cryptear.B is that in addition to the victim’s files, it also encrypts a text file containing the decryption key. Since this key is not sent to the attacker, it’s very difficult to recover encrypted files even if the ransom is paid, Trend Micro noted.

After obtaining a Cryptear.B sample, Sen determined that the ransomware is based on Hidden Tear Offline Edition, a version designed to work on computers that don’t have an Internet connection.

Since Hidden Tear Offline is designed to work with a removable USB drive, the encryption key is supposed to be copied to the USB drive, which is why Cryptear.B doesn’t send the key to the attacker before encrypting it.

However, Sen says Hidden Tear Offline also has a backdoor that can be used to recover encrypted files. The encryption seed can be obtained from the timestamp of an encrypted file, which makes it relatively easy to recover the key needed for decryption.

“All my malware codes are backdoored on purpose,” Sen told SecurityWeek last week after learning of Trend Micro’s report on Cryptear.B. “The purpose is to reduce the risk which is caused by script kiddies. I can defeat most of the samples if the antivirus companies ask for my help.”

While Sen said he released Hidden Tear for educational purposes, some experts believe it wasn’t a wise decision. One of them is security researcher Yonathan Klijnsma, who provided Sen a Cryptear.B sample for analysis.

“There is no educational purpose for releasing source code for a piece of ransomware,” Klijnsma told SecurityWeek. “Cryptographic implementations to secure files, sure, ransomware no. We have too much to deal with already, you really don’t want to help anyone in that business.”

Klijnsma also pointed out that since the Turkish hacker disclosed how he weakened the crypto implementation in Hidden Tear, he made it possible for malicious actors to make the changes necessary to create a more efficient ransomware.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.