A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.
This piece of cyber-ransomware encrypts users’ data using AES encryption, after which it appends the .locked extension to them. The malware then drops ransomware notes on the infected computers and informs users that they need to pay .5 bitcoins to get their files back.
The ransomware spread via a link associated to a YouTube video detailing a Far Cry Primal crack, which claimed to be a link to the video game crack. However, the file was laced with ransomware and as soon as it was executed it would encrypt users’ files instead.
Bragging about his ability to infect computers with the ransomware, the developer also said in the ransom note that he would never get caught and that any attempts by users to get help from the community would be futile.
As it turns out, the ransomware infected over 650 computers, though only three victims paid the ransom to date, an analysis of the Bitcoin wallet associated with this campaign revealed. The good news is that all victims can recover their files for free, because the malware developer made some major mistakes.
One was their attempt to shame victims while bragging about their superior skills, while the other was the use of EDA2’s code to build the ransomware. Created by Utku Sen last year and available in open source for several months, this ransomware was designed for educational purposes and included a backdoor in the command-and-control (C&C) server code.
Once the new piece of malware was discovered to have been built based on EDA2, Sen was contacted to use the backdoor to connect to the C&C server. Soon after, he announced that he was able not only to retrieve all the keys from the malware author’s server, but also to convert them into proper decryption keys.
The decryption keys were immediately published online and victims can use them, along with the Hidden Tear Decryptor, to restore their files, as detailed in this forum thread. The ransomware appears to be no longer working, with its C&C server also said to have been shut down.
This is only one of the ransomware variants that spawned from EDA2 and Hidden Tear, the two pieces of educational ransomware created by Utku Sen. Some of the most used of such variants include Magic, Linux.Encoder, and Cryptear.B, yet the security flaw included in the original code allowed researchers easily create decryption tools.
Soon after news on these security vulnerabilities emerged, the group behind the Magic ransomware began blackmailing the creator of Hidden Tear and EDA2 in an attempt to have both open-source malware variants taken offline. Sen pulled the code for both and also committed to helping users who fell victims of ransomware based on his creations.
Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
