Faulty ransomware renders files unrecoverable, even by the attacker

The malware is based on publicly released, proof-of-concept code

A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims' files being completely unrecoverable.

Researchers from antivirus vendor Trend Micro recently spotted a new file-encrypting ransomware program distributed as a Flash Player update through a compromised website in Paraguay.

After they analyzed the program's code, they realized that it was a modification of a proof-of-concept file encryptor application called Hidden Tear that was published on GitHub in August by a Turkish security enthusiast.

Hidden Tear comes with a disclaimer that the code may only be used for education purposes and a warning that people using it as ransomware could go to jail.

Not surprisingly, cybercriminals don't care much about disclaimers or jail warnings, so it wasn't long before the code was used to create ransomware programs.

First, some Reddit users pointed out similarities between Hidden Tear and Linux.Encoder, a ransomware program targeting Web servers. The similarities included a flaw in the encryption implementation that made recovering affected files possible without paying the ransom.

After facing understandable criticism for releasing the code, the Hidden Tear author said in a blog post in November that one of his intentions was to create a trap for unskilled cybercriminals and that the flawed encryption was intentional.

True or not, it seems that the code is doing more harm than good.

Called RANSOM_CRYPTEAR.B, the ransomware program distributed from the website in Paraguay is also based on Hidden Tear, but its creator, supposedly a Brazilian hacker, has made a serious error, according to the Trend Micro researchers.

Once executed on a computer, RANSOM_CRYPTEAR.B generates an encryption key and saves it in a file on the computer's desktop. It then proceeds to encrypt files with certain extensions, including the file where the encryption key is stored, before sending it to the attacker.

This makes it essentially impossible to recover the files, as the key itself gets encrypted, probably by mistake, the Trend Micro researchers said in a blog post.

In other words, users infected with the program will not be able to recover their files in the absence of backups, even if they decide to pay the ransom.

Sharing information about how various threats work is important in order to understand them and to protect users, but releasing sample code publicly is not needed for that goal, the Trend Micro researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?