The author of the Magic ransomware unsuccessfully attempted to blackmail a security researcher into taking down two open-source ‘educational’ malware projects on GitHub.
Magic, a malicious program which is written in C# and which demands 1 Bitcoin from its victims, is the second strain of ransomware discovered in January to have been built on malware that has been made available to the public for ‘educational’ purposes.
The first threat, Ransom_Cryptear.B, is based on an open-source project called Hidden Tear, which is currently hosted by Turkish security researcher Utku Sen on his GitHub page.
According to Security Week, Sen was able to break the encryption algorithm of the Ransom_Cryptear.B malware soon after its discovery due to a flaw he had intentionally left in Hidden Tear’s code. Sen ultimately used that flaw to recover victims’ files without requiring them to pay the ransom.
The story of the Magic ransomware does not have such a happy ending for users, however.
The Magic ransomware strain is based on EDA2, another file-encrypting project developed by Sen, which contains the code for the ransomware executable and the encryption algorithm, as well as a PHP web panel that acts as the command and control (C&C) server for storing victims’ encryption keys.
However, it soon became apparent that only amateur attackers were the ones likely to be using the Magic ransomware as Lawrence Abrams of Bleeping Computer explains:
“That means that instead of using robust and hidden Command & Control servers, these distributors use C2 servers hosted on free web sites services. Though this means that they can easily be taken down, it also means that the free web hosting provider may delete the decryption key databases before security researchers or the authorities can access them. If this database is deleted, then the victims lose the ability to retrieve their keys.”
Unfortunately, that’s exactly what happened in the case of Magic.
Softpedia reports that a free hosting service got wise to what the Magic ransomware author was doing and (perhaps unsurprisingly) went on to suspend the user and delete all of their data, including the encryption keys.
In a recent blog post by Utku Sen, the researcher explains how the incident has convinced him to abandon his EDA2 project:
“I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof. I might had implement a backdoor which copies the database to another server in case of account suspension etc. Now, even criminals can’t recover the datas.”
The researcher went on to inform his readers that he had removed all files and commits pertaining to the EDA2 project.
Quite the unfortunate turn of events. But that’s not where the story ends.
As it turns out, the ransomware author had a backup of the encryption keys and agreed to release all of them for free on two conditions: that Utku Sen pay him three Bitcoins (currently approximately US $1200), and that he also take down his Hidden Tear GitHub project.
Ultimately, Sen says he was able to convince the attacker to drop the Bitcoin payment, and nothing has happened since that agreement was made.
Curious about the current status of things, Softpedia reached out to Sen, who has since provided the following update:
“When I checked their code I saw lots of Putin supporting statement in Russian. I think that they are doing this bad stuff just for blaming me because I’m a Turkish guy. It seems all about politics as they said the same thing on the [Bleeping Computer] forum. I talked with them. They said Magic ransomware was for letting me know their power [in the] community. They asked for me to take down Hidden Tear. Maybe because Hidden Tear project has damaged their business because they are selling ransomware. They didn’t tell me any reason, so I refused. Because I know that if I accept this demand, they will demand something more since it’s political. I will work hard on beating their implementation because they still didn’t find my backdoor.”
Whether Sen is able to recover the victims’ files without working with the ransomware author remains to be seen. However, what is abundantly clear is Sen’s foolishness in releasing ransomware code as open-source. Though such a move might have educational motives at heart, this will not stop malicious and inexperienced attackers from co-opting the ransomware code for their own purposes.
Going forward, researchers should never make ransomware code available beyond the labs where they study it. Ordinary users will surely benefit in the long run.