• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   A Case of Too Much Information: Ransomware Code Shared Publicly for “Educational Purposes”, Used Maliciously Anyway

A Case of Too Much Information: Ransomware Code Shared Publicly for “Educational Purposes”, Used Maliciously Anyway

  • Posted on:January 13, 2016 at 4:45 am
  • Posted in:Malware, Open source, Ransomware
  • Author:
    Trend Micro
0

Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information can lead to complicated and sometimes even troublesome scenarios. But what exactly can be considered “proper” and “responsible” information sharing? How much is “too much information”?

In mid-August 2015, in an attempt to educate people, Turkish security group Otku Sen published an open source code for ransomware dubbed “Hidden Tear” and made it available for everyone at github. Hidden Tear uses AES encryption and can evade common AV platforms because it’s a new malware. Otku Sen also published a short video demonstrating how ransomware worked.

The creator was very specific about not using Hidden Tear as ransomware:

While this may be helpful for some, there are significant risks. Hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.

Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.

 Warnings Aren’t Cops

The website was first compromised from Sept. 15 to Dec. 17. It was compromised once again on December 18. The website redirects users to a fake Adobe Flash download website where they are prompted to download a new Flash Player. Once the download is complete, the file will automatically run.

Hidden-Tear-Infection-Flow

Figure 1. The infection vector

The modifications found in RANSOM_CRYPTEAR.B include an image with Portuguese text that replaces the user’s desktop background. The ransom note demanding R$ 2,000.00 (US$496. 94 as of Jan. 11) via Bitcoin, is also written in Portuguese. Another point which makes this attack unique is the fact that the generated key is lost within the valid file. The generated decryption key is saved inside a .txt file. Once dropped in the desktop folder, the malware starts encrypting files. Like other crypto-ransomware, this makes it very difficult to recover the files, even after the victim pays the ransom.

 

ran
Figure 2. RANSOM_CRYPTEAR.B desktop image

MENSAGEM
Figure 3. RANSOM_CRYPTEAR.B ransom note

Sharing Responsibilities

To prevent or minimize the effects of ransomware, Trend Micro has always encouraged users to regularly back up files and have an up-to-date security solution because paying the ransom isn’t a 100% guarantee that the encrypted files would be decrypted (for more information on ransomware, read our article Ransomware 101: What, How, and Why). However, the more interesting aspect of this incident was the circumstance that allowed the distribution of the ransomware to happen in the first place: the fact that its source code was made available in a public space.

Even with the cautionary statement and the good intentions in mind, releasing information such as this was not a reasonable behavior. Keep in mind that a lot of people in the Deep Web or other forums also use explicit warnings as a way of washing their hands clean. One can even point out that forbidding the use of a certain technology or knowledge makes it even more attractive for cybercriminals and computer enthusiasts in general.

The security industry should be very careful when releasing information that could be used by threat actors. Even if the intentions of security researchers or security vendors are to educate the public, they need to carefully assess the risks prior to the release of possibly harmful information.

“We need to teach our kids physics, but not how to build an atomic bomb. We need to have knives in our kitchens, but not samurai swords,” says Martin Roesler, Trend Micro Senior Director for Research. “We need to share knowledge that creates understanding about potential damage, but not the ability to create it. It’s like medicine and poison—the difference between the both is just the doses. We need to share knowledge about how exploits work but not how to make use of them. We need to share knowledge how malware works, but sharing a sample code is not needed for that.

“For our industry it is, depending on each case, a decision between need to know and not need to know. Just the ‘but I want to know’ or ‘I want to share’ is not relevant. We should always share to a targeted audience, through a targeted medium, what this audience really needs. For example, we should share, via secure channels, with security vendors or vendors that are impacted by an exploit, the necessary information, up to sample level, so that they can protect users from damage. On the other hand, we should share, via public channels, to unrestricted audience, what they need to know to protect themselves. There are different audiences, and each audience should have different channels and different ‘doses’ of information.”

Hashes for related files:

  • fef6c212fc093c5840370826f47aa8e42197b568

With additional insights by Michael Marcos

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BrazilHidden TearOpen sourceransomware

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.