Menu
Faulty ransomware renders files unrecoverable, even by the attacker

Faulty ransomware renders files unrecoverable, even by the attacker

The malware is based on publicly released, proof-of-concept code

A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims' files being completely unrecoverable.

Researchers from antivirus vendor Trend Micro recently spotted a new file-encrypting ransomware program distributed as a Flash Player update through a compromised website in Paraguay.

After they analyzed the program's code, they realized that it was a modification of a proof-of-concept file encryptor application called Hidden Tear that was published on GitHub in August by a Turkish security enthusiast.

Hidden Tear comes with a disclaimer that the code may only be used for education purposes and a warning that people using it as ransomware could go to jail.

Not surprisingly, cybercriminals don't care much about disclaimers or jail warnings, so it wasn't long before the code was used to create ransomware programs.

First, some Reddit users pointed out similarities between Hidden Tear and Linux.Encoder, a ransomware program targeting Web servers. The similarities included a flaw in the encryption implementation that made recovering affected files possible without paying the ransom.

After facing understandable criticism for releasing the code, the Hidden Tear author said in a blog post in November that one of his intentions was to create a trap for unskilled cybercriminals and that the flawed encryption was intentional.

True or not, it seems that the code is doing more harm than good.

Called RANSOM_CRYPTEAR.B, the ransomware program distributed from the website in Paraguay is also based on Hidden Tear, but its creator, supposedly a Brazilian hacker, has made a serious error, according to the Trend Micro researchers.

Once executed on a computer, RANSOM_CRYPTEAR.B generates an encryption key and saves it in a file on the computer's desktop. It then proceeds to encrypt files with certain extensions, including the file where the encryption key is stored, before sending it to the attacker.

This makes it essentially impossible to recover the files, as the key itself gets encrypted, probably by mistake, the Trend Micro researchers said in a blog post.

In other words, users infected with the program will not be able to recover their files in the absence of backups, even if they decide to pay the ransom.

Sharing information about how various threats work is important in order to understand them and to protect users, but releasing sample code publicly is not needed for that goal, the Trend Micro researchers said.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established and emerging partners on a memorable night in Auckland.

Reseller News ICT Industry Awards 2017 - Meet the winners...
Show Comments