Shoddy Ransomware Destroys User’s Files

Share this…

A ransomware strain based on the open source Hidden Tear ransomware is infecting users, encrypting their files and losing the encryption key along the way, rendering all files unrecoverable.

Last August, Turkish security group Otku Sen open-sourced on GitHub the code of a home-made ransomware they’ve created for educational purposes.

This particular ransomware was named Hidden Tear and according to its author’s blog post, was a honeypot to fool ransomware authors into using his code instead of creating their own.

The trick was that Hidden Tear contained a crypto flaw that would allow the researcher to decrypt files later on if someone ever used his code.

Hidden tear spawned RANSOM_CRYPTEAR.B

According to Trend Micro’s security team, someone did, and those were the creators of the ransomware strain identified by the company as RANSOM_CRYPTEAR.B.

Between September 15 and December 17, this group hijacked a website  from Paraguay, and used it to redirect its users to a fake Adobe Flash look-a-like website that spread a booby-trapped Flash Player update.

Users that downloaded this update would see the file launch into execution as soon as it finished downloading, and in a matter of minutes they would be infected with a crypto-ransomware that encrypted msot of their data files.

RANSOM_CRYPTEAR.B was losing the encryption key

The bad part was that the ransomware’s authors somehow managed to muddle Hidden Tear’s code, and they were throwing away the encryption key, never sending it to their C&C servers.

This shoddy behavior didn’t matter for the ransomware’s authors, who were more interested in receiving the Bitcoin payment (around $500) than to provide a safe way to decrypt encrypted files after the ransom was received.

Even if the Otku Sen team built a secret backdoor into Hidden Tear’s encyrption algorithm, this was in the end useless because the encryption key was lost as well.

As for badly encrypted ransomware, this is not the first case when this happens, last November, a version of the Power Worm ransomware also managing to lose its encryption key, permanently locking user files as well.

Infection process for RANSOM_CRYPTEAR.B

Infection process for RANSOM_CRYPTEAR.B