Connect with us

Hi, what are you looking for?



Variants Spawn From Hidden Tear Ransomware

Hidden Tear, the so-called educational ransomware that was released as Open Source in August 2015, has been used to create more than two dozen spin-offs, Kaspersky Lab researchers warn.

Hidden Tear, the so-called educational ransomware that was released as Open Source in August 2015, has been used to create more than two dozen spin-offs, Kaspersky Lab researchers warn.

Hidden Tear, along with EDA2, is the creation of Otku Sen, who decided to pull the code from the public last week, after being blackmailed by malware creators. However, ransomware based on the code of these two educational malware has emerged before that, such as Magic, Linux.Encoder, and Cryptear.B , the latter already found to be easy to crack because of an encryption flaw.

While having a closer look at one of the Hidden Tear variants discovered, namely Trojan-Ransom.MSIL.Tear, Kaspersky Lab discovered 24 additional samples in the same class, Jornt van der Wiel notes in a recent post.

The release of the educational ransomware in open source was likely to result in actual malware being developed based on it, but the interesting thing is that their makers did not bother to resolve flaws that were included in the original code. Thus, these malicious programs are more of a nuisance rather than serious threats to users, though they are still capable of doing harm.

Meant to show how ransomware works, Hidden Tear was designed to encrypt only files located in a “test” directory on the desktop and wouldn’t encrypt anything if the directory didn’t exist. One of the spin-offs, Trojan-Ransom.MSIL.Tear.c, was created to encrypt all the files with a certain extension located on the Desktop.

Another sample, called Trojan-Ransom.MSIL.Tear.f and also known as KryptoLocker, was using public key cryptography. In addition to that, the security researchers discovered that the malware author did not use a command and control (C&C) server, but asked the victims to e-mail him instead, so he could ask for the ransom.

Further analysis revealed two variants that use a proper C&C server, namely Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h, while previous samples used a server with an internal IP address. Moreover, the researchers found that two samples, namely Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k, share the same C&C.

Advertisement. Scroll to continue reading.

One of the variants were found to be looking specifically for files located in the “MicrosoftAtom” directory and to encrypt them, while others were found encrypting files but not storing the key anywhere.

Kaspersky Lab researchers note that, overall, Hidden Tear completely missed its purpose, as researchers can understand how ransomware works even without it. Nevertheless, had cybercriminals bothered to improve the code, it wouldn’t have been that easy in some cases to recover keys and decrypt files for free.

Although the samples presented here were not often spotted in the wild, and the number of victims remains relatively low, the malware could be enhanced quite easily. Things then become worrisome, especially when copy cats use well developed and sophisticated malware to target victims.

Ransomware is more than just a nuisance, but can be potentially debilitating and freeze critical assets and intellectual property, Wade Williamson, Director of Product Marketing at Vectra Networks, noted in November .

As Scott Gainey, Senior Vice President and Chief Marketing Officer at SentinelOne, explains in a recent SecurityWeek column , that ransomware has shifted from consumers to businesses to extort larger ransoms for unlocking encrypted files.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...