id2956933digitalkey1100600829orig
Security

Faulty ransomware renders files unrecoverable, even by the attacker

A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims' files being completely unrecoverable.

Researchers from antivirus vendor Trend Micro recently spotted a new file-encrypting ransomware program distributed as a Flash Player update through a compromised website in Paraguay.

After they analyzed the program's code, they realized that it was a modification of a proof-of-concept file encryptor application called Hidden Tear that was published on GitHub in August by a Turkish security enthusiast.

Hidden Tear comes with a disclaimer that the code may only be used for education purposes and a warning that people using it as ransomware could go to jail.

Not surprisingly, cybercriminals don't care much about disclaimers or jail warnings, so it wasn't long before the code was used to create ransomware programs.

First, some Reddit users pointed out similarities between Hidden Tear and Linux.Encoder, a ransomware program targeting Web servers. The similarities included a flaw in the encryption implementation that made recovering affected files possible without paying the ransom.

After facing understandable criticism for releasing the code, the Hidden Tear author said in a blog post in November that one of his intentions was to create a trap for unskilled cybercriminals and that the flawed encryption was intentional.

True or not, it seems that the code is doing more harm than good.

Called RANSOM_CRYPTEAR.B, the ransomware program distributed from the website in Paraguay is also based on Hidden Tear, but its creator, supposedly a Brazilian hacker, has made a serious error, according to the Trend Micro researchers.

Once executed on a computer, RANSOM_CRYPTEAR.B generates an encryption key and saves it in a file on the computer's desktop. It then proceeds to encrypt files with certain extensions, including the file where the encryption key is stored, before sending it to the attacker.

This makes it essentially impossible to recover the files, as the key itself gets encrypted, probably by mistake, the Trend Micro researchers said in a blog post.

In other words, users infected with the program will not be able to recover their files in the absence of backups, even if they decide to pay the ransom.

Sharing information about how various threats work is important in order to understand them and to protect users, but releasing sample code publicly is not needed for that goal, the Trend Micro researchers said.

IDG Insider

PREVIOUS ARTICLE

« HBO to get new episodes of 'Sesame Street' months before they run on PBS

NEXT ARTICLE

Comcast bugs BYO modem user with browser pop-ups suggesting an upgrade »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?