A newly-found greedy ransomware Trojan called Ded Cryptor is raging out of control.
Ded Cryptor has recently attacked many English- and Russian- speaking people requiring a ransom of 2 bitcoins ($1,300). According to experts, unfortunately, no solution to stop the voracious Trojan has been found yet. Refusing to pay the ransom equals, agreeing your files to be held as hostages.
When Ded Cryptor arrives at its destination, it changes your desktop wallpaper to a picture of an evil-looking Santa Claus and, of course, demands a ransom but it doesn’t send requests to the server directly. Instead, it sets up a proxy server on the infected PC and uses that. Furthermore, it has a kind of an interesting backstory.
It all began when Utku Sen, a security expert from Turkey, created a piece of ransomware and published the code online so it is available to anybody. It seems strange at first but he actually had a plan. He wanted every cybersecurity expert to understand how cybercriminals think and most importantly – how they code. He really hoped that this unexpected approach will help the good guys prevail.
Sen developed the Hidden Tear ransomware and then the powerful EDA2 which could work offline as well and was way better and improved that the first one. EDA2`s code was also published online (on GitHub) and, as expected, newbie cybercriminals started using it to steal people`s money. They did not know that Sen had put a backdoors in EDA2 which allows him to extract the decryption keys and give them to the victims. However, things did not go as well as planned.
Soon, Magic, a new EDA2-based ransomware appeared which looked just like the original one but not quite. When Sen heard about it he tried to use his backdoors as usual but there was no way in. Both sides started negotiating, bargaining and demanding ransoms. In the end, Sen took down EDA2 and Hidden Tear but it was too late because there already were 24 encryptors based on them, as Kaspersky Lab expert Jornt van der Wiel said. They detect all Trojans based on Hidden Tear and EDA2 and warn the users.
This is how Ded Cryptor emerged, created from various pieces of open code published on GitHub. It uses EDA2 source code, its command-and-control server is hosted in Tor for better security and anonymity and the code for sending requests was written by a third developer.
Currently, there is almost no information about the Trojan. It is believed, though, that the Ded Cryptor developers are Russians as the ransom note was written only in English and Russian. Moreover, it mostly operates in Russia, according to the Kaspersky Security Network. China, Germany, Vietnam, and India come next.
Unfortunately, a decryption key has not been found yet. At this point it is much better to try preventing the infection, instead of dealing with its consequences.