EDA2 Open-Source Ransomware Code Used in Real-Life Attacks

Share this…

Another educational open-source ransomware project goes bad.

Cyber-crooks have used the open-source code of the EDA2 ransomware to create the Magic ransomware strain, which has been spotted in real-life attacks against users in the past few days.

This is the second time this happens, after the open-sourced code of the Hidden Tear ransomware was also deployed in live attacks around two weeks ago via the RANSOM_CRYPTEAR.B ransomware family.

EDA2 Open-Source Ransomware Code Used in Real-Life Attacks

No happy ending for Magic ransomware victims

Creator of both projects is Turkish security researcher Utku Sen, who says that both his projects, Hidden Tear and EDA2, were published only for educational purposes.

For RANSOM_CRYPTEAR.B victims, the story had a happy ending, as Utku Sen revealed that he purposely left an encryption flaw in the ransomware’s code, which other security researchers used to help out ransomware victims.

However, there is no happy ending for Magic ransomware victims, who currently have no way of recovering their files, even if they pay the ransom. More on this later.

How Magic ransomware works

First ransomware victims appeared on Reddit and then the Bleeping Computer tech support forums. There is still no info on how the ransomware infects users, but we know that it adds the .magic extension to the files it encrypts, hence its name.

The encryption algorithm is AES, meaning it uses the same key to encrypt and later decrypt the files. Unfortunately, this encryption key is not stored on the computer but sent to a remote C&C server.

Luckily, the address of this C&C server could be extracted from the ransomware’s code. Unfortunately, the C&C servers were hosted on a free hosting service. We say “unfortunately” because someone reported the ransomware’s author account, and most free hosting services do not only suspend users that break their rules but also delete their data.

Yes, you read that right. All the encryption keys were deleted, which means that nobody can decrypt those files now, not even the ransomware’s author.

No encryption backdoor in EDA2 (Magic)

We did mention above that Utku Sen left an encryption flaw in the Hidden Tear project. This did not happen in EDA2. Softpedia contacted the researcher, who was in the process of penning a blog post on this issue, having previously been alerted that his EDA2 code made its way into the hands of some criminal gang.

As the researcher revealed, the EDA2 ransomware project did not only come with the actual ransomware’s code and instructions on how to customize but was a complete crime kit and also included a PHP-based admin panel where all the encryption keys were sent.

Utku thought that, this time, he would put a fully working encryption module in the ransomware but leave a backdoor in the admin panel, which would allow him to access the database and steal the encryption keys if any malware author ever thought of using his open-source EDA2 project.

Since the C&C servers have been taken down, the backdoor account is now useless. Unless the free hosting provider pulls a rabbit out of a hat and mysteriously finds a backup of the data, all Magic ransomware encrypted files are gone for good.

It appears that open-source ransomware is a terrible idea

“From what I can tell just looking through the code, it is unlikely there will be a way to fix it,” says Fabian Wosar, an Emsisoft security researcher who previously managed to crack different ransomware families.

At the moment, the infosec community does not seem to be very appreciative of Utku Sen’s decision to open-source his ransomware experiments.

He only published two “educational” ransomware projects, but both were quickly nabbed by malware authors and used for non-educational purposes. Despite his best intentions, his experiment failed in a disastrous way.

“I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof,” says Utku about not including an encryption flaw in the source and deciding to go with a backdoor to the admin panel.

“I removed all the files and commits of Eda2 project. Since nobody has discovered the backdoor to Eda2, I won’t reveal it right now. Because we may deal with new Eda2 implementations in future,” he also added, “I’m sorry, I failed this time.”