24 Ransomware were already created based on the open source malware Hidden Tear

History of Turkish researcher Utku Sen and his open source malware continues. Recently hackers blackmailing forced the developer to remove from GitHub two ransomware applications created and published “for educational and research purposes”: Hidden Tear and EDA2. Apparently, Sen made a big mistake by opening a public access to those ransomware examples. Experts from Kaspersky Lab reported that based on Sen’s open source malware has been operating at least 24 of real ransomware.

Earlier it was reported that based on Turkish researcher’s solution were created ransomware such as Ransom_Cryptear.B and Magic. Encryption algorithm of the first ransomware was eventually cracked by Sen, who left a backdoor in his own code, as well as by various experts in the field of information security. But with the second malware Sen screwed by putting a backdoor in EDA2 control panel, which was not the best idea. All attempts to crack the encryption and save the files of Magic victims has failed. As a result, the developer was forced to apologize to all the victims and to remove the EDA2 ransomware code from GitHub.

In the end of January 2016, the second unexpected incident happened: the real hackers started to blackmail the developer, demanding to remove the source code of Hidden Tear malware from the GitHub. As a result, Sen made a deal with hackers. They promised to decrypt files of all the victims of Magic ransomware for free and Turkish researcher removed the Hidden Tear from open access.

Now it turns out that everyone interested already downloaded the source code of the ransomware long before its removal from GitHub. Experts from Kaspersky Lab said that at least 24 ransomware have been created based on Hidden Tear source code.

One of the members of the new family – ransomware Trojan-Ransom.MSIL.Tear.c was changed so that it only encrypts files found on desktop computers. Another example – Trojan-Ransom-MSIL.Tear.f also known as KryptoLocker. This ransomware forces victims to contact the authors of the Trojan by email and also lies about the encryption algorithm that was used to encrypt the files.

The worst thing is that not all malware, created on the basis of Sen’s source code, works correctly. Thus, the version Trojan-Ransom_MSIL.Tear.n, Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p and Trojan-Ransom.MSIL.Tear.q encrypting files, but doesn’t save or send anywhere the encryption keys, which means that victims will lose the data forever.

Trojans versions Trojan-Ransom.MSIL.Tear. r up to Trojan-Ransom.MSIL.Tear.v work even more interesting: they send encryption keys to the command server example.com! Obviously, virus writers have simply forgotten to change domain in the code, leaving the value that was used as an example. As a result, all of the files encrypted by these malwares are lost forever.