Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list

Nothing is nice about this EDA2-based variant.

David bisson
David Bisson

Evil Santa Ded Cryptor ransomware places victims on the 'naughty' list

Researchers have spotted a new crypto-ransomware called “Ded Cryptor” that is placing users on its “naughty” list and encrypting their files.

Originally identified by malware researcher Michael Gillespie, the ransomware has a little fun when it infects a user’s machine.

As Lawrence Abrams explains in his post for Bleeping Computer:

Sign up to our free newsletter.
Security news, advice, and tips.

“This ransomware has been around for quite a while and targets both Russian and English speaking victims. When installed, the victims desktop will be changed to show an evil looking Santa having a good time while it encrypts your files. Ded Cryptor will change the wallpaper of the Windows desktop to an image that contains the ransom amount and the email address, [email protected], which the victim is told to email for payment instructions.”


All users infected by the ransomware are asked to pay two Bitcoins, which is approximately US $1500.

At this time, it’s unclear how Ded Cryptor is distributed.

What’s apparent, however, is that the authors behind this ransomware have put some thought into its encryption algorithm.

Aside from using AES-RSA to encrypt an infected machine’s files, Ded Cryptor is based off of EDA2, a file-encrypting project developed by security researcher Utku Sen which produced the Magic ransomware fiasco back in January.

Sen decided to abandon EDA2 shortly thereafter.

Since then, researchers like Abrams have used a method to recover files encrypted by EDA2-based ransomware. But Ded Cryptor’s authors were one step ahead, as Abrams explains:

“Though EDA2 ransomware have been commonly seen in the past, this particular variant removed the method that we could use to retrieve the keys. Furthermore, it also contains an unused namespace called DarthEncrypt, which appears to be the malware developer’s attempt to create a new encryption method for the EDA2 ransomware.”

At this time, there is no way for victims to recover any files encrypted by Ded Cryptor for free.

With that in mind, users should focus on ransomware prevention by exercising caution around suspicious links and email attachments, maintaining an up-to-date anti-virus solution on their computers, implementing software updates as soon as they become available, and backing up their data on a regular basis (just in case).

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Evil Santa Ded Cryptor ransomware places victims on the ‘naughty’ list”

  1. jhgsjhdgd

    >>>At this time, there is no way for victims to recover any files decrypted by Ded Cryptor for free.

    should read “recover any files encrypted by Ded Cryptor”?

    1. Graham CluleyGraham Cluley · in reply to jhgsjhdgd

      Thanks – I've updated the article to correct that typo. :)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.