Ransomware author’s bravado shot down by release of decryption keys

“You’ll never be able to find me. Police will never be able to find me.”

David bisson
David Bisson

Computer shadow

Security researchers have put a pompous computer criminal in their rightful place after releasing the decryption keys for their ransomware.

Lawrence Abrams of Bleeping Computer writes that the ransomware, which was released last week, encrypts users’ files using AES encryption, appends the .LOCKED extension to all files, and demands that victims pay a fee of 0.5 BTC (approximately US $210) in exchange for the decryption key. All things considered, a pretty standard piece of malware…

…with a truly annoying developer behind it.

Sign up to our free newsletter.
Security news, advice, and tips.

In their ransom note, the extortionist prides themselves on their experience creating malware and on their success in hiding from the authorities. You can read the message in full here, but provided below is a selection of some of the developer’s more “self-assured” comments:

Ransomware message

“You’ll never be able to find me. Police will never be able to find me. Go ahead and try them if you like, but don’t expect your data back. They will be concerned about helping the community, not with helping you meet your deadline. If they say they need to keep your desktop for a few days, well lol, you probably won’t be seeing your machine again soon, let alone your data. I’ve been doing this for five years now and haven’t been caught yet.”

“…Just be thankful that it wasn’t worse. I could have asked for more money. I could have been working for ISIS and saving that money to behead children. I could have been a mean SOB and just destroyed your data outright. Am I those things? No. I just need the money to live off of (true story) and don’t care at all about the hacker ‘community’. So there isn’t anyone you will be protecting by sacrificing yourself. I’ll just encrypt more people’s data to make up for the loss.”

That’s more than enough to get anyone’s blood boiling.

Fortunately, the developer has since been served their just desserts.

Though they succeeded in infecting 700 victims over the course of one day, including three users who ended up paying the ransom fee, the ransomware author originally based their malware on EDA2, a file-encrypting project which found itself in hot water earlier this year when a criminal used it to develop the ransomware known as Magic.

Eda2 abandoned

Utku Sen, the man behind the project, intentionally inserted a backdoor into his code when he first developed EDA2 to make sure he could check potential abuses of his code. It is this backdoor access Sen leveraged in this particular case to obtain a list of decryption keys, which are now available for download.

Decryption keys

To be sure, some thanks are owed to Utku Sen for helping the hundreds of users affected by this ransomware. However, it’s worth noting that none of this would have happened if the researcher hadn’t published his EDA2 project online in the first place.

Malware analysis is a good thing. It teaches us about how online threats continue to evolve on a day-to-day basis.

Even so, only researchers with abundant technical expertise should be able to access samples of malicious code. Malware should never be published online for any reason; bad actors will always find a way to co-opt the code for their own nefarious purposes.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

15 comments on “Ransomware author’s bravado shot down by release of decryption keys”

  1. Techno

    Worries about ransomware etc. has led me to create another local account on my Windows 10 home computer without administrator privileges for everyday browsing, but doing this proved a lot of hassle:

    – Microsoft constantly tries to get you to create an online account rather than just a local account on the computer
    – It was created with US keyboard settings by default, so wrong characters appear when pressing certain keys, and adding UK settings is actually quite a hassle
    – there is no option to import any settings from the administrator account, so you have to set everything up the way you like it all over again

    I am quite computer savvy so I could sort these things out by searching for answers online, but Microsoft really should make this simple security step much easier, they have a long way to go.

  2. scot

    lol @ receiving his "just deserts" I though he got caught.

  3. jscottu

    I would support the death penalty for these hacker criminals.

    1. coyote · in reply to jscottu

      I'm afraid that says much more about your character than those who are only profiting at the expense of those who refuse to backup and (in the cases where the perpetrator says they won't target again) those who think malware actually would be discriminate (the names 'virus', 'worm' and 'trojan horse', 'backdoor' and others are all named appropriately and they were named for those reasons).

      And your last two words are rather offensive and if nothing else misguided. No, these people aren't worthy of the title 'hacker' – not even in the long time meaning of dishonour/disgrace. This person didn't even write it all himself. He reminds me of the old groups full of script kiddies who thought they were skilled/impressive because they found a host was vulnerable to an exploit (that they did not write) and were so impressive they did a mass defacement simply as if they had compromised them all individually. Most of the defaced pages were terribly written, too, and that is more than their message. They too were full of themselves and said they'd never be caught … and many (if not most) did get caught.

      1. Arcadian · in reply to coyote

        why should anyone back up?!??! Viruses should not be made!! regardless of what you think. Anyone who makes these virus and exploits should be shot first hand. Nothing but problems for the simple users just trying to go on living, when some punk wants to enact revenge. that punk should be jailed and electrocuted by his nipples.

        1. coyote · in reply to Arcadian

          Because hard drives fail. That's one reason. Because of human error (humans aren't perfect you see, and you're a great example, questioning the need for backing up). That's another reason. Because you wouldn't want pictures lost of loved ones. That's another. I could list more reasons but instead I'll end it as thus:

          Only fools will willingly take risks by not backing up. Much like those who are in favour of the death penalty have no problem with the another death whilst simultaneously condemning death camps (or similarly paramilitaries executing people .. perhaps the IRA? I don't mind if continuity IRA or the provisional IRA .. or any others; maybe you'd prefer the Sturmabteilung ? List goes on) to hell. The fact innocents have been executed should be more than enough but it unfortunately isn't understood by people – like yourself. Note: 'should' doesn't necessarily equate to 'reality'. The sooner people realise this the better (it's such a simple concept that it's somewhat baffling so many don't understand it … until I then remember the lack of intelligence of humans on a whole). The fact of the matter is malware does exist and you can face it responsibly or you can complain and do nothing (= whine). Choose your poison … or your virus (and it seems you prefer the latter).

        2. Bob · in reply to Arcadian

          Why backup Arcadian?

          Because you have (to name a few):

          device failure, viruses, malicious damage, volume and directory glitches, transfer corruption, lightning strike/voltage surge, theft, fire or water damage and human error.

          Need I go on?

          If it's not backed up then it's clearly not that important to you.


  4. TechnoT

    If you were really all that you think you are and truly computer savvy, when you first setup that computer, you would have changed the administrator name and password right away, setup a user account and started using the user account immediately, not running on the admin account at all!

    Get over yourself. You have a lot to learn, grasshopper!

    1. coyote · in reply to TechnoT

      Well to be fair… he could have just set it up. (S?)he wasn't exactly 100% clear. It's true though that one should never stay logged in as administrator (or equivalent) – but it's something that many do. Also, unless I'm mistaken, ransomware can still encrypt user files as a user (after all, it is their files). Certainly it should be very possible. (Although I do admit your point is still valid)

  5. coyote

    'I've been doing this for five years now and haven't been caught yet.'

    I admit we all are guilty of pleonasms but that one is really amusing. Obviously you weren't writing that in jail (okay I suppose it could happen but then you'd have been caught so your point would be false). You could just as well say 'I have been doing this for five years.' or even 'I've been doing this for years.' and you could shorten it further with a bit of work.

    'You'll never be able to find me. Police will never be able to find me.'

    I wish I had the smallest amount of any currency in the world for the amount of times I've read or heard that and then proven false… because I'd be filthy rich (not that I truly feel the need or desire to be rich). The fact they finally uncovered who Jack the Ripper was … well, only a complete moron would believe they'll never be caught. Especially moronic when you actually are bragging about your exploits. Shouldn't have wasted your neurons.

    'Go ahead and try them if you like, but don't expect your data back. They will be concerned about helping the community, not with helping you meet your deadline.'

    Technically a police officer helping someone would be part of helping the community. The problem: police forces aren't relevant to data recovery. They are however relevant to putting idiots like you away.

    'I will delete the necessary code for all time and I don't even have to revisit your machine to do it.'

    Only neophytes do things manually when there are alternatives… You spend the time to delete them? I suppose it's more like you have it scheduled but I'm enjoying going after your statements. And if you truly visited their machine (as you've implied with 'revisit') then you'd also be guilty of trespassing. And only idiots admit laws they've broken (sort of like you've done). Your malware infected them but the only thing you did is release it. You personally didn't do anything to their systems.

    'I could have been working for ISIS and saving that money to behead children.'

    Somehow I suspect that IS would have no problem doing you in, too, especially if you come from the west.

    'I could have been a mean SOB and just destroyed your data outright.'

    Very often data that's been directly destroyed isn't so difficult to recover (of course depending on how it's done) versus corrupted with no source so one might argue that it in some ways that would have been nicer; certainly it wouldn't give them as much stress and worry about the time frame (they'd only pray they regularly backup) etc. You could also be called 'mean' for any number of things. I don't think mean is the right word though: you're only very weak, very stupid and demonstrate extreme cowardice. I'm sure your mother is really proud of you, too.

    'Don't click on any file from the internet that isn't a piece of data like (jpg, txt, doc) or you better really know where that file came from.'

    Always amuses me when people try to profess things they are sure of when they're simultaneously demonstrating they're extremely ignorant. Extensions don't mean anything (hence file headers amongst other things) and the fact at least some Windows (by default) cut off the extension means : file.txt.com would be shown as file.txt which makes it seem to be text but actually isn't. Also, because of some brain dead ideas of developers of some viewers (e.g. of graphics) actually executing code … and since you can hide data (which might be code [and code and data relate to each other]) in other files, it means you could run into problems. This is pretty basic too, much like yourself: that you prey on the innocent shows how basic you are (you don't even want a challenge, too afraid to meet your match, arrogant, etc.).

    'Am I those things? No.'

    No. You're a coward.

    ' I just need the money to live off of (true story) and don't care at all about the hacker "community".'
    I.e. a weak coward. And pointing out obvious things in a vain attempt at making yourself look better; you don't even respect yourself – that is very obvious (whether it is to you or not is another matter).

    The last part of your sentence is obvious also because if you don't care about or respect yourself you won't care about others or respect others, generally speaking. And there is a community – or at least there used to be.

    'or I might not know who it was that paid in order to rescue them.'

    You might want to check the dictionary more often. Rescue? Putting someone in a dangerous situation but giving them a way (a nasty way too) to escape is not rescuing them. Since you'd go on to do it to more people it is even less rescuing; you're attacking people, attacking them because of weakness and cowardice.

    'Back up your files in case the encryption thief visits you.'

    Harsh way to teach it but admittedly that's usually how it goes with backups. But that and the antivirus remark are about the only intelligent things you've written.

    1. ric · in reply to coyote

      Hey coyote, you're quite a stickler for "correctness," and seem to have a hobby of collecting self contradictory pronouncements. Here's another one for you: "I wish I had the smallest amount of any currency in the world for the amount of times I've read or heard that and then proven false…"
      That's you, using "amount" instead of "number." You can look it up– it's related to the "fewer vs. less" problem. In any case, well educated English speakers know a poseur when they read one.

      1. coyote · in reply to ric

        I'm also familiar with those, yes. Funny that you actually make the assumption I don't know my own writing when I see it (you really don't need to point it out; I am not suffering from any kind of amnesia although I appreciate the concern).

        However: unlike you I'm not perfect. The fact I am sleep deprived for years (something that maybe one day you'll understand but if not consider yourself extremely fortunate that you don't wake up 5, 6, 7+ times a night) makes me very lucky that I can ever function in any form (and it takes a lot of effort). But thank you; I'm always humbled when I come across perfect people – an exceedingly rare breed. I'm especially privileged when they're also arrogant (which I note I can be but it certainly wasn't my intent with the post and if you actually read the full thing you should be able to recognise some of my points, especially since you're beyond mere mortals). Incidentally, I actually pointed out that we're all guilty of a specific kind of error – and that error being one in writing and speaking. I was proven wrong, however, in part: I didn't know about you so I must say everyone except 'ric'.

        Edit: In addition, I don’t care to impress people as you seem to suggest (poseur); in real life I’m actually a recluse. How many recluses do you know at all (I’m going to say you don’t know any)? How many recluses do you know that try to impress people? I tend to avoid attention of any kind. More assumptions on your part.

  6. coyote

    'However, it's worth noting that none of this would have happened if the researcher hadn't published his EDA2 project online in the first place.'

    In which case they'd simply choose another project… so at least this one there was some help. You should consider that, too, because it's much better that ransomware campaigns are undermined than not.

  7. MichaelB

    I have two out board hard drives and everything is backed up as necessary. Those are backed up from a (two) 128 gb thumb-drive. That allows a time frame before downloading to the HD. Those HDs are always off when I'm online. I run my security program once a week. I never open attachments unless I am 100% positive. If it's a notice from my bank, (or whomever) I go to their site from my home page.

    I take precautions that will prevent me from wishing I had if things go south and I didn't.

  8. Jeffrey Goldberg

    It's not me! Sure the note writer uses two spaces after a full stop. And, sure, their use of commas is erratic. And they enjoy explaining what they've done. And they like using open source. But really, it isn't me.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.