Variants Spawn From Hidden Tear Ransomware

Hidden Tear, the so-called educational ransomware that was released as Open Source in August 2015, has been used to create more than two dozen spin-offs, Kaspersky Lab researchers warn.

Hidden Tear, along with EDA2, is the creation of Otku Sen, who decided to pull the code from the public last week, after being blackmailed by malware creators. However, ransomware based on the code of these two educational malware has emerged before that, such as Magic, Linux.Encoder, and Cryptear.B , the latter already found to be easy to crack because of an encryption flaw.

While having a closer look at one of the Hidden Tear variants discovered, namely Trojan-Ransom.MSIL.Tear, Kaspersky Lab discovered 24 additional samples in the same class, Jornt van der Wiel notes in a recent post.

The release of the educational ransomware in open source was likely to result in actual malware being developed based on it, but the interesting thing is that their makers did not bother to resolve flaws that were included in the original code. Thus, these malicious programs are more of a nuisance rather than serious threats to users, though they are still capable of doing harm.

Meant to show how ransomware works, Hidden Tear was designed to encrypt only files located in a “test” directory on the desktop and wouldn’t encrypt anything if the directory didn’t exist. One of the spin-offs, Trojan-Ransom.MSIL.Tear.c, was created to encrypt all the files with a certain extension located on the Desktop.

Another sample, called Trojan-Ransom.MSIL.Tear.f and also known as KryptoLocker, was using public key cryptography. In addition to that, the security researchers discovered that the malware author did not use a command and control (C&C) server, but asked the victims to e-mail him instead, so he could ask for the ransom.

Further analysis revealed two variants that use a proper C&C server, namely Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h, while previous samples used a server with an internal IP address. Moreover, the researchers found that two samples, namely Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k, share the same C&C.

One of the variants were found to be looking specifically for files located in the “MicrosoftAtom” directory and to encrypt them, while others were found encrypting files but not storing the key anywhere.

Kaspersky Lab researchers note that, overall, Hidden Tear completely missed its purpose, as researchers can understand how ransomware works even without it. Nevertheless, had cybercriminals bothered to improve the code, it wouldn’t have been that easy in some cases to recover keys and decrypt files for free.

Although the samples presented here were not often spotted in the wild, and the number of victims remains relatively low, the malware could be enhanced quite easily. Things then become worrisome, especially when copy cats use well developed and sophisticated malware to target victims.

Ransomware is more than just a nuisance, but can be potentially debilitating and freeze critical assets and intellectual property, Wade Williamson, Director of Product Marketing at Vectra Networks, noted in November .

As Scott Gainey, Senior Vice President and Chief Marketing Officer at SentinelOne, explains in a recent SecurityWeek column , that ransomware has shifted from consumers to businesses to extort larger ransoms for unlocking encrypted files.