A ransomware program called EduCrypt was recently discovered by AVG security specialist Jakub Kroustek. The program has a peculiar ethic. Per definition, the purpose of ransomware is to get people to pay a certain sum. Unlike the conventional policy, EduCrypt does not make demands. Instead, the program gives the user a lesson on how ransomware works.
The name EduCrypt likely derives from the word education. The people who encounter this software are taught a lesson about online security. EduCrypt creates a file titled README.txt and places it on the desktop. The document tells the user he has been browsing the web without taking the necessary safety precautions. As a result, his files are now encrypted. The message further explains he need not worry because his files can easily be restored. It gives a link to the decrypter. To use the tool, the user needs a password. The note states it is located in another .txt document, located somewhere on his hard drive.
The document in question is called DecryptPassword.txt. Its physical location on the computer is %UserProfile%\Documents\DecryptPassword.txt. In actuality, you do not need to use the file. By examining a few cases, Mr. Kroustek concluded that the password is not unique for every user. Instead of going into the trouble of making a password generator, EduCrypt uses the same password each time. The researcher has provided the combination for everyone’s convenience: HDJ7D-HF54D-8DN7D
Since EduCrypt does not aim to make people pay, it does not put an effort to deprive them of important information. The ransomware only encrypts files from six of the main folders on the local C:\ hard drive: Desktop, Downloads, Documents, Pictures, Music and Videos. The program uses AES encryption algorithm to render the files inaccessible. The .isis suffix is appended to the name of each infected file.
The number of targeted file types is also limited. EduCrypt only locks files of the following types: .doc, .docx, .txt, .pdf, .odt, .xls, .xlsx, .ppt, .pptx, .rar, .lnk, .php, .bat, .jpg, .bmp, .png, .psd, .bk, .html, .rar, .zip, .css, .sln, .mp3, .wav, .wma, .avi, .mp4, .divx, .mkv, .wmv, .mov, .mpeg, .ogg, .exe, .csv, .asp, .aspx, .xml, .index, .mdb, .sql.
The creator of EduCrypt has not even bothered to develop a unique program. Analyzing its technical specifications, Mr. Kroustek discovered that the ransomware is based off of another virus. The researcher collected an obfuscated sample of EduCrypt with Confuser. He was able to deobfuscate it. This revealed that the program is based off of Hidden Tear ransomware.
The simpler functionality of EduCrypt shows it was indeed made to demonstrate how ransomware programs work and teach users a lesson. As already mentioned, the virus encrypts a limited number of folders and file types. It was also discovered that it does not communicate with a Command & Control server.
EduCrypt shows people some tough love by giving them an involuntary lesson on computer security. The bad news is that all other ransomware programs will not give you your data back free of charge.