Looking For Hidden Tear (rasomware) Source?

Disappointed to read David Bisson advocating security through secrecy in Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project.

From the post:

The author of the Magic ransomware unsuccessfully attempted to blackmail a security researcher into taking down two open-source ‘educational’ malware projects on GitHub.

Magic, a malicious program which is written in C# and which demands 1 Bitcoin from its victims, is the second strain of ransomware discovered in January to have been built on malware that has been made available to the public for ‘educational’ purposes.

The first threat, Ransom_Cryptear.B, is based on an open-source project called Hidden Tear, which is currently hosted by Turkish security researcher Utku Sen on his GitHub page.

Whether Sen is able to recover the victims’ files without working with the ransomware author remains to be seen. However, what is abundantly clear is Sen’s foolishness in releasing ransomware code as open-source. Though such a move might have educational motives at heart, this will not stop malicious and inexperienced attackers from co-opting the ransomware code for their own purposes.

Going forward, researchers should never make ransomware code available beyond the labs where they study it. Ordinary users will surely benefit in the long run.

See David’s post for the details. My concern is his advocacy of non-publication of ransomware code.

McAfee Labs 2016 Threats Predictions report makes it clear that “malicious and inexperienced attackers” are not the source of great concern for ransomware.

In 2015 we saw ransomware-as-a-service hosted on the Tor network and using virtual currencies for payments. We expect to see more of this in 2016, as inexperienced cybercriminals will gain access to this service while staying relatively anonymous.

Although a few families—including CryptoWall 3, CTB-Locker, and CryptoLocker—dominate the current ransomware landscape, we predict that new variants of these families and new families will surface with new stealth functionalities. For example, new variants may start to silently encrypt data. These encrypted files will be backed up and eventually the attacker will pull the key, resulting in encrypted files both on the system and in the backup. Other new variants might use kernel components to hook the file system and encrypt files on the fly, as the user accesses them.
….. (at page 24)

Amateurs aren’t building “ransomware-as-a-service” sites and there’s no reason to pretend otherwise.

Moreover, the “good old boy network” of security researchers hasn’t protected anyone from ransomware if the McAfee Labs and similar reports are to be credited. If concealment of security flaws and malware were effective, there should be some evidence to that effect. Yes?

In the absence of evidence, dare I say “data?,” we should dismiss concealment as a strategy for cybersecurity as utter speculation. Speculation that favors a particular class of researchers. (Can you guess their gender statistics?)

In case you are interested, the Github page for Hidden Tear now reads in part:

This project is abandoned. If you are a researcher and want the code, contact me with your university or company e-mail http://utkusen.com/en/contact.html

Well, no harm done. If you are looking for the master.zip file for Hidden Tear, check the Internet Archive: Wayback Machine, or more directly, the backup of the Hidden Tear project on 26 January 2016.

You can presume that copies have been made of the page and master.zip file, just in case something unfortunate happens to the copies at the Internet Archive: Wayback Machine.

Better software, user education, legal actions against criminals are all legitimate and effective means of combating the known problem of ransomware.

Concealing ransomware code is a form of privilege. As we all know, privilege has an unhappy record in computer programming and society in general. Don’t support it, here or anywhere.

Comments are closed.