A new “educational” ransomware named ShinoLocker was developed and presented at Black Hat 2016 by the security researcher, Shota Shinogi. Shinogi explains that his only intention for creating ShinoLocker was to help other security experts “understand how the popular ransomwares work from this experience. You can also test your forensics skill on retrieving the decryption key from the memory.”
Anyway, we have seen a good intension like this turn wrong before. Utku Sen, an expert from Turkey, created the Hidden Tear and EDA2 ransomware and then published their codes online so they are available to anybody. His intension was also to help security experts understand how cybercriminals think, but it all went wrong when crooks started using the codes for taking innocent people` money.
ShinoLocker is a ransomware simulator. The difference between ShinoLocker and a real ransomware is that it never demands a ransom for obtaining the decryption key. It is not developed for extortion but as a means for people to test their security performance and utilities.
Using ShinoLocker is not that complicated allowing anyone to create their own ransomware executable by entering some basic configuration options into a web site. When created the ransomware would encrypt designated file types and then executes a command, such as vssadmin to delete Shadow Volume Copies, when it is executed.
It is true that, if the default entries are used, the encrypted files are not at risk as there is an easy method for getting the decryption tool and no ransom would be demanded for it. All things considered, though, it would be a piece of cake for any cybercriminal wannabe to change the default parameters and this is where it would all turn wrong. Crooks would face no difficulty removing the ShinoLocker string from the ransomware making it hard to recognize and then using the Command & Parameter field to download a real ransom note that would definitely demand a ransom.
We all agree that Shota Shinogi wanted to help good guys prevail by creating this educational ransomware, but we shouldn’t forget that it would be trivial for hackers abuse it in their favor. We can only hope that the history wouldn’t repeat itself.