Encryption Flaw Used to Crack Cryptear Ransomware

The author of the open source ransomware named “Hidden Tear” claims he has managed to break the encryption of Cryptear.B, a threat built using his code.

Turkey-based security researcher Utku Sen released in August 2015 the source code of Hidden Tear, a piece of file-encrypting ransomware designed for educational purposes. Since he suspected that his creation might be abused by cybercriminals, Sen intentionally weakened the encryption in Hidden Tear so that victims could recover their files without paying the ransom demanded by malicious actors.

One of the threats based on Hidden Tear is Linux.Encoder, the first ransomware designed to target Linux systems. Researchers at Bitdefender cracked Linux.Encoder’s encryption for each of the three versions released by cybercriminals.

Last week, security firm Trend Micro reported finding another piece of ransomware based on Hidden Tear. The threat, detected as Ransom_Cryptear.B, demanded 2,000 Brazilian reals ($500) from victims using a ransom note written in Portuguese.

The problem with Cryptear.B is that in addition to the victim’s files, it also encrypts a text file containing the decryption key. Since this key is not sent to the attacker, it’s very difficult to recover encrypted files even if the ransom is paid, Trend Micro noted.

After obtaining a Cryptear.B sample, Sen determined that the ransomware is based on Hidden Tear Offline Edition, a version designed to work on computers that don’t have an Internet connection.

Since Hidden Tear Offline is designed to work with a removable USB drive, the encryption key is supposed to be copied to the USB drive, which is why Cryptear.B doesn’t send the key to the attacker before encrypting it.

However, Sen says Hidden Tear Offline also has a backdoor that can be used to recover encrypted files. The encryption seed can be obtained from the timestamp of an encrypted file, which makes it relatively easy to recover the key needed for decryption.

“All my malware codes are backdoored on purpose,” Sen told SecurityWeek last week after learning of Trend Micro’s report on Cryptear.B. “The purpose is to reduce the risk which is caused by script kiddies. I can defeat most of the samples if the antivirus companies ask for my help.”

While Sen said he released Hidden Tear for educational purposes, some experts believe it wasn’t a wise decision. One of them is security researcher Yonathan Klijnsma, who provided Sen a Cryptear.B sample for analysis.

“There is no educational purpose for releasing source code for a piece of ransomware,” Klijnsma told SecurityWeek. “Cryptographic implementations to secure files, sure, ransomware no. We have too much to deal with already, you really don’t want to help anyone in that business.”

Klijnsma also pointed out that since the Turkish hacker disclosed how he weakened the crypto implementation in Hidden Tear, he made it possible for malicious actors to make the changes necessary to create a more efficient ransomware.