Flawed RANSOM_CRYPTEAR ransomware makes impossible the file recovery

Pierluigi Paganini January 14, 2016

Faulty ransomware derived from  an open source ransomware project makes files unrecoverable due to a serious coding error.

The story I’m gong to tell you is incredible, a cyber criminal gang has developed a very singular ransomware called RANSOM_CRYPTEAR.B and now I’ll tell you why?

According to the experts at TrendMicro, the Ransomware has built starting from a proof-of-concept code available online, but the cyber criminals made a serious error in the development, resulting in victims’ files being completely unrecoverable. The malware researchers analyzing the source code discovered that it was a modification of a proof-of-concept ransomware dubbed Hidden Tear that was leaked online by the Turkish coder Utku Sen for educational purpose.

It is not surprising that crooks have not missed the occasion as remarked by TrendMicro.

“Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.” states a blog post published by  TrendMicro.

The “Hidden Tear”  is available on GitHub and it’s fully functional, it uses AES encryption to encrypt the files and displays a warning to users to pay up to get their data back.

ransomware hidden tear open source

“While this may be helpful for some, there are significant risks. The Hidden Tear may be used only for Educational Purposes. Do not use it as a ransomware!” explained utkusen,

The Features of Hidden Tear are:

  • Uses AES algorithm to encrypt files.
  • Sends encryption key to a server.
  • Encrypted files can be decrypt in decrypter program with encryption key.
  • Creates a text file in Desktop with given message.
  • Small file size (12 KB)
  • Doesn’t detected to antivirus programs (15/08/2015)

Back to the present, the singular ransomware detected by TrendMicro has been distributed as a Flash Player update through a compromised website in Paraguay.

The website in Paraguay was first compromised from Sept. 15 to Dec. 17, and it was hacked again on December 18th. The website redirects visitors to a bogus Adobe Flash download website where they are prompted to download a malicious application disguised as a new Flash Player.

Hidden-Tear Infection-Flow

Many users reported similarities between the Hidden Tear and Linux.Encoder that was specifically developed to infect Linux Web servers. In reality, both applications are affected by serious flaws, in the case of Encoder a poor software development capability allowed the security experts to decrypt files on infected machines by the Linux.Encoder.

Many problems we also discovered in the Hidden Tear, for this reason the author explained in a blog post that the bugs were intentionally introduced to trap unskilled cybercriminals.

The principal flaws discussed by the author of the Hidden Tear are Seed of Random Algorithm, the Reuse of the IV, the use of Static Salt and the fact that the key is sent to the server with an unencrypted GET request.

“Did you hear that Linux Ransomware has beaten with same flaws by Bitdefender? The developer seems to be inspired from Hidden Tear which is noticed by reddit users.” wrote the author,

“Well, I have to admit that I was expecting more. Only one person used my code and busted. But it’s something. At least we get rid of a massive attack.””I know that it wasn’t so successful honeypot project but I’m happy for reducing the damage of Linux Ransomware. I will also be happy if the newbies learn something from all of these stuff.”

Which is the error in the code of the Called RANSOM_CRYPTEAR.B?

Once executed on a victim’s machine, the RANSOM_CRYPTEAR.B generates an encryption key used to encipher the files with certain extensions, and saves it in a file on the desktop.

Then the ransomware encrypts all the files, including the one containing the encryption key before sending it to the attacker reulting impossible to recover them.

That is incredible!

Pierluigi Paganini

(Security Affairs – ransomware, RANSOM_CRYPTEAR.B)

you might also like

leave a comment