Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list

Nothing is nice about this EDA2-based variant.

Evil Santa Ded Cryptor ransomware places victims on the 'naughty' list

Researchers have spotted a new crypto-ransomware called “Ded Cryptor” that is placing users on its “naughty” list and encrypting their files.

Originally identified by malware researcher Michael Gillespie, the ransomware has a little fun when it infects a user’s machine.

As Lawrence Abrams explains in his post for Bleeping Computer:

This ransomware has been around for quite a while and targets both Russian and English speaking victims. When installed, the victims desktop will be changed to show an evil looking Santa having a good time while it encrypts your files. Ded Cryptor will change the wallpaper of the Windows desktop to an image that contains the ransom amount and the email address, dedcrypt@sigaint.org, which the victim is told to email for payment instructions.”


All users infected by the ransomware are asked to pay two Bitcoins, which is approximately US $1500.

At this time, it’s unclear how Ded Cryptor is distributed.

What’s apparent, however, is that the authors behind this ransomware have put some thought into its encryption algorithm.

Aside from using AES-RSA to encrypt an infected machine’s files, Ded Cryptor is based off of EDA2, a file-encrypting project developed by security researcher Utku Sen which produced the Magic ransomware fiasco back in January.

Sen decided to abandon EDA2 shortly thereafter.

Since then, researchers like Abrams have used a method to recover files encrypted by EDA2-based ransomware. But Ded Cryptor’s authors were one step ahead, as Abrams explains:

Though EDA2 ransomware have been commonly seen in the past, this particular variant removed the method that we could use to retrieve the keys. Furthermore, it also contains an unused namespace called DarthEncrypt, which appears to be the malware developer’s attempt to create a new encryption method for the EDA2 ransomware.”

At this time, there is no way for victims to recover any files encrypted by Ded Cryptor for free.

With that in mind, users should focus on ransomware prevention by exercising caution around suspicious links and email attachments, maintaining an up-to-date anti-virus solution on their computers, implementing software updates as soon as they become available, and backing up their data on a regular basis (just in case).

Tags: , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

2 Responses

  1. jhgsjhdgd

    June 21, 2016 at 10:40 am #

    »>At this time, there is no way for victims to recover any files decrypted by Ded Cryptor for free.

    should read “recover any files encrypted by Ded Cryptor”?

    • Graham Cluley in reply to jhgsjhdgd.

      June 21, 2016 at 10:42 am #

      Thanks - I’ve updated the article to correct that typo. :)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.