While being developed, a hidden encryption flaw has been left in the Hidden Tear ransomeware. Later on, Hidden Tear was used in the Linux.Encoder and Cryptear B. ransomware families, both of which were cracked by Utku and some security firms.
When this happened, the developers of the ransomware started abusing Utku’s second ransomware project, named EDA2.
Despite not having an encryption flaw, EDA2 had a PHP backdoor, laced with a backdoor. Even though, when the Magic ransomware debacle happened, this backdoor appeared to be useless, and it was just the malware creator’s good grace allowed infected users to recover their files.
In order to release the encryption keys for free, the developer of the Magic ransomware blackmailed Utku and forced him to remove both the EDA2 and Hidden Tear projects from GitHub.
The problem is that removing the ransomware families from GitHub didn’t help at all. The Kaspersky security researcher Jornt van der Wiel, reports that they’ve found 24 other ransomware families which used some of Hidden Tear’s code in their make-up. Among these families is Trojan-Ransom.MSIL.Tear.c, which was specifically altered to encrypt only files found on the user’s desktop.
Trojan-Ransom.MSIL.Tear.f, also known as KryptoLocker, was asking users to email the ransomware’s author for their encryption key and was lying about the type of encryption used to lock the files.
Due to the fact that they used used C&C (command and control), Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h were a little bit more complex, while Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k used the same C&C server IP.
Of course, there were even more, however, they all contain small updates to the normal Hidden Tear mode of operation. The most popular of these are Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, and Trojan-Ransom.MSIL.Tear.q, which are encrypted files but forgot to store the encryption key anywhere, effectively losing all the victims’ files.
Much worse is the fact that all Hidden Tear variants codenamed from Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v used a C&C server located at “example.com,” sending encryption keys into thin air, dooming all the user’s files.
In other words, even if security researchers have the best intentions at heart, the cyber criminals will continue abusing their hard work.