Ransomware author tries to blackmail security researcher into taking down 'educational' malware project

Hacker in shadows
The author of the Magic ransomware unsuccessfully attempted to blackmail a security researcher into taking down two open-source 'educational' malware projects on GitHub.

Magic, a malicious program which is written in C# and which demands 1 Bitcoin from its victims, is the second strain of ransomware discovered in January to have been built on malware that has been made available to the public for 'educational' purposes.

The first threat, Ransom_Cryptear.B, is based on an open-source project called Hidden Tear, which is currently hosted by Turkish security researcher Utku Sen on his GitHub page.

Hidden Tear

Hidden tear warning

According to Security Week, Sen was able to break the encryption algorithm of the Ransom_Cryptear.B malware soon after its discovery due to a flaw he had intentionally left in Hidden Tear's code. Sen ultimately used that flaw to recover victims' files without requiring them to pay the ransom.

The story of the Magic ransomware does not have such a happy ending for users, however.

The Magic ransomware strain is based on EDA2, another file-encrypting project developed by Sen, which contains the code for the ransomware executable and the encryption algorithm, as well as a PHP web panel that acts as the command and control (C&C) server for storing victims' encryption keys.

Server urls

However, it soon became apparent that only amateur attackers were the ones likely to be using the Magic ransomware as Lawrence Abrams of Bleeping Computer explains:

"That means that instead of using robust and hidden Command & Control servers, these distributors use C2 servers hosted on free web sites services. Though this means that they can easily be taken down, it also means that the free web hosting provider may delete the decryption key databases before security researchers or the authorities can access them. If this database is deleted, then the victims lose the ability to retrieve their keys."

Unfortunately, that's exactly what happened in the case of Magic.

Softpedia reports that a free hosting service got wise to what the Magic ransomware author was doing and (perhaps unsurprisingly) went on to suspend the user and delete all of their data, including the encryption keys.

In a recent blog post by Utku Sen, the researcher explains how the incident has convinced him to abandon his EDA2 project:

"I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof. I might had implement a backdoor which copies the database to another server in case of account suspension etc. Now, even criminals can’t recover the datas."

The researcher went on to inform his readers that he had removed all files and commits pertaining to the EDA2 project.

Deletemyprogram bat

Quite the unfortunate turn of events. But that's not where the story ends.

As it turns out, the ransomware author had a backup of the encryption keys and agreed to release all of them for free on two conditions: that Utku Sen pay him three Bitcoins (currently approximately US $1200), and that he also take down his Hidden Tear GitHub project.

Ultimately, Sen says he was able to convince the attacker to drop the Bitcoin payment, and nothing has happened since that agreement was made.

Curious about the current status of things, Softpedia reached out to Sen, who has since provided the following update:

"When I checked their code I saw lots of Putin supporting statement in Russian. I think that they are doing this bad stuff just for blaming me because I'm a Turkish guy. It seems all about politics as they said the same thing on the [Bleeping Computer] forum. I talked with them. They said Magic ransomware was for letting me know their power [in the] community. They asked for me to take down Hidden Tear. Maybe because Hidden Tear project has damaged their business because they are selling ransomware. They didn't tell me any reason, so I refused. Because I know that if I accept this demand, they will demand something more since it's political. I will work hard on beating their implementation because they still didn't find my backdoor."

Whether Sen is able to recover the victims' files without working with the ransomware author remains to be seen. However, what is abundantly clear is Sen's foolishness in releasing ransomware code as open-source. Though such a move might have educational motives at heart, this will not stop malicious and inexperienced attackers from co-opting the ransomware code for their own purposes.

Going forward, researchers should never make ransomware code available beyond the labs where they study it. Ordinary users will surely benefit in the long run.

flickr photo shared by dustball under a Creative Commons ( BY-NC ) license

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

3 Responses

  1. coyote

    January 28, 2016 at 12:40 am #

    Clearing the screen by sending a DOS command and the same for deleting a file ?

    I wish I could say I didn't know what happened to programming skills but sadly I do … I can understand (I guess … at least sort of) not wanting to write code for pinging but the other things I can't. I could understand it if it was a script but actual programming that has the shell do things for you ?

    Pathetic. That's what it is.

    Yeah, I know, some will say I'm being too critical, being arrogant, whatever else but this type of ineptitude is the same ineptitude of the same magnitude of things that simply should never happen in 'security' (e.g. the hard-coded 12345768 password in Lenovo as was written about recently). It's going the easy way out rather than doing things right; it's letting others do the work: when you're programming you should be doing the work (this involves thinking) and not relying on others because if you rely on others you're not thinking as much and if you're not thinking as much you're going to make more mistakes (a library is very different from sending a command to the console).

  2. Mark Jacobs

    January 28, 2016 at 11:11 am #

    Agreed, Coyote! If they can send arbitrary commands to a console interpreter, then I can send it "format c:" – they are ruddy idiots!

    • coyote in reply to Mark Jacobs.

      January 28, 2016 at 11:55 pm #

      You forgot to confirm it though. Was it something like:

      format C: /y

      ?

      I honestly can't recall and I consider it a privilege that I only rarely have to deal with Microsoft products (including 'drive letters').

      It's true that clearing the screen is (can be) very much a console-specific thing but if you're going to do it through programming do it through programming ('do the job properly'). Deleting a file is very basic programming regardless of the language whether C# or any system or application based language (even assembly would work for this without too much effort – at least deleting a file by itself – as long as you know the architecture and instruction set[1]). What is a programming language that can't deal with file systems ? What kind of world is it when programmers can't do delete a file without passing a command to an interpreter ?

      I would be embarrassed to publish code like this (even if I felt it was ethical to do so). Of course there are times where it is acceptable ('reasonable') to send a command to the interpreter (while programming) but when you rely on the interpreter to do the work (especially basic tasks) there is a problem. Maybe he's only very much a beginner but if he is he's going about learning it the wrong way.

      [1] It's not a matter of the language but how you would do it (in this case deleting a file).

Leave a Reply