Security researchers have put a pompous computer criminal in their rightful place after releasing the decryption keys for their ransomware.
Lawrence Abrams of Bleeping Computer writes that the ransomware, which was released last week, encrypts users’ files using AES encryption, appends the .LOCKED extension to all files, and demands that victims pay a fee of 0.5 BTC (approximately US $210) in exchange for the decryption key. All things considered, a pretty standard piece of malware…
…with a truly annoying developer behind it.
In their ransom note, the extortionist prides themselves on their experience creating malware and on their success in hiding from the authorities. You can read the message in full here, but provided below is a selection of some of the developer’s more “self-assured” comments:
“You’ll never be able to find me. Police will never be able to find me. Go ahead and try them if you like, but don’t expect your data back. They will be concerned about helping the community, not with helping you meet your deadline. If they say they need to keep your desktop for a few days, well lol, you probably won’t be seeing your machine again soon, let alone your data. I’ve been doing this for five years now and haven’t been caught yet.”
“…Just be thankful that it wasn’t worse. I could have asked for more money. I could have been working for ISIS and saving that money to behead children. I could have been a mean SOB and just destroyed your data outright. Am I those things? No. I just need the money to live off of (true story) and don’t care at all about the hacker ‘community’. So there isn’t anyone you will be protecting by sacrificing yourself. I’ll just encrypt more people’s data to make up for the loss.”
That’s more than enough to get anyone’s blood boiling.
Fortunately, the developer has since been served their just desserts.
Though they succeeded in infecting 700 victims over the course of one day, including three users who ended up paying the ransom fee, the ransomware author originally based their malware on EDA2, a file-encrypting project which found itself in hot water earlier this year when a criminal used it to develop the ransomware known as Magic.
Utku Sen, the man behind the project, intentionally inserted a backdoor into his code when he first developed EDA2 to make sure he could check potential abuses of his code. It is this backdoor access Sen leveraged in this particular case to obtain a list of decryption keys, which are now available for download.
To be sure, some thanks are owed to Utku Sen for helping the hundreds of users affected by this ransomware. However, it’s worth noting that none of this would have happened if the researcher hadn’t published his EDA2 project online in the first place.
Malware analysis is a good thing. It teaches us about how online threats continue to evolve on a day-to-day basis.
Even so, only researchers with abundant technical expertise should be able to access samples of malicious code. Malware should never be published online for any reason; bad actors will always find a way to co-opt the code for their own nefarious purposes.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.