Connect with us

Hi, what are you looking for?


Malware & Threats

New EDA2-Based Ransomware Easily Neutralized

A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.

A new variant of the EDA2 educational ransomware has emerged, only to be quickly neutralized, despite its creator’s confidence that he would never get caught.

This piece of cyber-ransomware encrypts users’ data using AES encryption, after which it appends the .locked extension to them. The malware then drops ransomware notes on the infected computers and informs users that they need to pay .5 bitcoins to get their files back.

The ransomware spread via a link associated to a YouTube video detailing a Far Cry Primal crack, which claimed to be a link to the video game crack. However, the file was laced with ransomware and as soon as it was executed it would encrypt users’ files instead.

Bragging about his ability to infect computers with the ransomware, the developer also said in the ransom note that he would never get caught and that any attempts by users to get help from the community would be futile.

As it turns out, the ransomware infected over 650 computers, though only three victims paid the ransom to date, an analysis of the Bitcoin wallet associated with this campaign revealed. The good news is that all victims can recover their files for free, because the malware developer made some major mistakes.

One was their attempt to shame victims while bragging about their superior skills, while the other was the use of EDA2’s code to build the ransomware. Created by Utku Sen last year and available in open source for several months, this ransomware was designed for educational purposes and included a backdoor in the command-and-control (C&C) server code.

Once the new piece of malware was discovered to have been built based on EDA2, Sen was contacted to use the backdoor to connect to the C&C server. Soon after, he announced that he was able not only to retrieve all the keys from the malware author’s server, but also to convert them into proper decryption keys.

Advertisement. Scroll to continue reading.

The decryption keys were immediately published online and victims can use them, along with the Hidden Tear Decryptor, to restore their files, as detailed in this forum thread. The ransomware appears to be no longer working, with its C&C server also said to have been shut down.

This is only one of the ransomware variants that spawned from EDA2 and Hidden Tear, the two pieces of educational ransomware created by Utku Sen. Some of the most used of such variants include Magic, Linux.Encoder, and Cryptear.B, yet the security flaw included in the original code allowed researchers easily create decryption tools.

Soon after news on these security vulnerabilities emerged, the group behind the Magic ransomware began blackmailing the creator of Hidden Tear and EDA2 in an attempt to have both open-source malware variants taken offline. Sen pulled the code for both and also committed to helping users who fell victims of ransomware based on his creations. 

Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...