A Case of Too Much Information: Ransomware Code Shared Publicly for “Educational Purposes”, Used Maliciously Anyway
Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information can lead to complicated, and sometimes even troublesome scenarios.
In Mid-August, in an attempt to educate people, Turkish security group Otku Sen published an open source code for ransomware dubbed “Hidden Tear” and made it available for everyone at github. Hidden Tear uses AES encryption and can evade common AV platforms because it’s a new malware. Otku Sen also published a short video demonstrating how ransomware worked.
The creator was very specific about not using Hidden Tear as ransomware.
“While this may be helpful for some, there are significant risks. Hidden tear may be used only for Educational Purposes. Do not use it as a ransomware! You could go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.”
Keep in mind that a lot of people in the Deep Web or other forums also use explicit warnings as a way of washing their hands clean. Even with the cautionary statement and the good intentions in mind, releasing information such as this was not a reasonable behavior.
Warnings Aren’t Cops
Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware. Our analysis showed that the website was compromised by a Brazilian hacker who used a modified Hidden Tear code.
The website has been compromised since Sept. 15 to Dec. 17 at the latest. It was compromised once again on December 18. The website redirects users to a fake Adobe Flash download website where they are prompted to download a new Flash player. Once the download is complete, the file will automatically run.
Figure 1. The infection vector
The modifications found in RANSOM_CRYPTEAR.B includes an image with Portuguese text replaces the user’s desktop image. The ransom note demanding BRL 2,000.00 (US$502.096 as of Dec. 21) via Bitcoin, is also written in Portuguese.
Another point which makes this attack unique is the fact that the generated key is “lost”. The attack generates an encryption key, which is stored as a file dropped on the user’s desktop. It then proceeds to search for and encrypt files with the following extension:
However, this makes it essentially impossible to recover the files, as the key itself was encrypted (probably by mistake) by the attack.
Research groups should be very careful when releasing information that could be used by threat actors. Using general warnings is not a reasonable behavior. Even if their intentions are to educate their publics, there are still those who would take advantage of their materials. We advise research groups to assess the risks prior to the release of possibly harmful information.
“We need to share knowledge that creates understanding about potential damage, but not the ability to create it. We need to share knowledge about “who exploits work”, but not “how to make use of them”. We need to share knowledge “how malware works”, but sharing “sample code” is not needed for that”, said Martin Roesler, Trend Micro Senior Director for Threat Research.
Trend Micro believes that in sharing information, one must take into consideration their intended audience, the medium they will use, and more importantly, address what the audience needs. Information like Hidden Tear should be shared via secure channels, with security vendors that are impacted by an exploit, the necessary information, up to sample level, so that they can protect users from damage. At the same time, we should share, via public channels, to unrestricted audience, what they need to know to protect themselves.
To prevent or minimize the effects of ransomware, users should regularly backup files, create a habit of accessing regularly used websites through bookmarks, verify email sources, and update security software. Keep in mind that paying the ransom isn’t a 100% guarantee that the encrypted files would be decrypted. For more information on ransomware, read our article Ransomware 101: What, How, and Why.
Hashes for related files:
With additional insights by Michael Marcos