Hidden Tear, the so-called educational ransomware that was released as Open Source in August 2015, has been used to create more than two dozen spin-offs, Kaspersky Lab researchers warn.
Hidden Tear, along with EDA2, is the creation of Otku Sen, who decided to pull the code from the public last week, after being blackmailed by malware creators. However, ransomware based on the code of these two educational malware has emerged before that, such as Magic, Linux.Encoder, and Cryptear.B , the latter already found to be easy to crack because of an encryption flaw.
While having a closer look at one of the Hidden Tear variants discovered, namely Trojan-Ransom.MSIL.Tear, Kaspersky Lab discovered 24 additional samples in the same class, Jornt van der Wiel notes in a recent post.
The release of the educational ransomware in open source was likely to result in actual malware being developed based on it, but the interesting thing is that their makers did not bother to resolve flaws that were included in the original code. Thus, these malicious programs are more of a nuisance rather than serious threats to users, though they are still capable of doing harm.
Meant to show how ransomware works, Hidden Tear was designed to encrypt only files located in a “test” directory on the desktop and wouldn’t encrypt anything if the directory didn’t exist. One of the spin-offs, Trojan-Ransom.MSIL.Tear.c, was created to encrypt all the files with a certain extension located on the Desktop.
Another sample, called Trojan-Ransom.MSIL.Tear.f and also known as KryptoLocker, was using public key cryptography. In addition to that, the security researchers discovered that the malware author did not use a command and control (C&C) server, but asked the victims to e-mail him instead, so he could ask for the ransom.
Further analysis revealed two variants that use a proper C&C server, namely Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h, while previous samples used a server with an internal IP address. Moreover, the researchers found that two samples, namely Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k, share the same C&C.
One of the variants were found to be looking specifically for files located in the “MicrosoftAtom” directory and to encrypt them, while others were found encrypting files but not storing the key anywhere.
Kaspersky Lab researchers note that, overall, Hidden Tear completely missed its purpose, as researchers can understand how ransomware works even without it. Nevertheless, had cybercriminals bothered to improve the code, it wouldn’t have been that easy in some cases to recover keys and decrypt files for free.
Although the samples presented here were not often spotted in the wild, and the number of victims remains relatively low, the malware could be enhanced quite easily. Things then become worrisome, especially when copy cats use well developed and sophisticated malware to target victims.
Ransomware is more than just a nuisance, but can be potentially debilitating and freeze critical assets and intellectual property, Wade Williamson, Director of Product Marketing at Vectra Networks, noted in November .
As Scott Gainey, Senior Vice President and Chief Marketing Officer at SentinelOne, explains in a recent SecurityWeek column , that ransomware has shifted from consumers to businesses to extort larger ransoms for unlocking encrypted files.

More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
