New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

By Francis Antazo, Byron Gelera, Ardin Maglalang, and Mary Yambao

In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses.

Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery.

One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals—they don’t have to be technically skilled to build their own ransomware from scratch. Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs.

Imitating pop culture and mobile apps

KaoTear (detected as RANSOM_KAOTEAR.A), a Hidden Tear-based ransomware, uses the filename kaoTalk.exe and includes KakaoTalk icon to disguise its malicious nature. KakaoTalk is a widely-used messaging app in South Korea with 49.1 million active users globally.


Figure 1. KaoTear’s ransom note

English translation:

Your files have been encrypted.
Go to the following address:
You can check the information for decryption:
Go to the site above. TOR browser is required

 Another recent Hidden Tear spinoff is POGOTEAR (detected as RANSOM_POGOTEAR.A) that capitalizes on the success of Pokemon Go. It even employs the filename PokemonGo.exe to lure users into thinking that it is a legitimate file.


Figure 2.  POGOTEAR’s ransom note bears the image of Pikachu from the gaming app, Pokemon Go.

Here’s a rough translation in English:

Sorry. Encrypting your files have been unintentional. The decoder is send to {BLOCKED} 200 edge following account\n {BLOCKED}


Figure 3.  KaoTear and POGOTEAR have the string “hidden tear” on their form initialization.

On the other hand, FSociety (detected as RANSOM_CRYPTEAR.SMILA) is an EDA2-based ransomware that draws inspiration from the hacker group in the hit TV series, Mr.Robot.


Figure 4. Cybercriminals ride on the popularity of the TV show, Mr. Robot.

A closer look at KaoTear, POGOTEAR, and FSociety

Aside from pop culture references, KaoTear, POGOTEAR, and FSociety have other similarities.

For one, they target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd.  Some of these file extensions (such as XML, PHP, and ASPX) are related to web servers.

All three malware also search for SQL and MDB files, which are associated with databases. Based on these target files, it is very likely that businesses are being targeted.

Here are some of the similarities and differences:

KaoTear POGOTEAR FSociety
Extension 암호화됨 (.encrypted) .locked .locked
Ransom Note ReadMe.txt هام جدا.txt None
Language Korean Arabic English
MSIL compiled Yes Yes Yes
Encryption Method AES 256 AES 256 AES 256
Propagation Routine None Spreads via fixed drives, removable drives, shared folders and mapped network drives None
C&C None Connects to hxxp://10[.]25[.]0[.]169 Sends the key for encrypting files to hxxp://www[.]archem.hol[.]es/savekey[.]php

POGOTEAR is the only ransomware with propagation mechanism that enables it to spread to removable and mapped network drives. It also creates an administrator-level user that can be hidden from the Windows login screen through this registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionWinlogon\SpecialAccounts\UserList\Hack3r = “0”

With this, cybercriminals can further compromise the infected system and consequently, the network.

We observed that POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server.  Since it uses a private IP, the information sent stays within the organization’s network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%.  If the said folder is not found, FSociety does not encrypt any files.

The risks of open source ransomware

The creation of open source ransomware for educational purposes has raised security concerns that call for stricter measures in knowledge sharing.  In the case of Hidden Tear and EDA2, the cybercriminals used the public source code as a baseline and modified to pursue their own interests.

Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes.

As security researchers, we have to thoroughly assess the possible risks and consequences of creating and distributing educational information. If the sharing of source codes or samples is necessary, it is best to distribute these only to targeted credible recipients through secure channels. Before releasing anything to the public, we need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands.

Trend Micro solutions

Enterprises and small-medium businesses are viable targets for ransomware attacks. The recently-discovered open source ransomware strains show the possibilities that they can potentially affect organizations—disruption to productivity and operations, including damage to company brand or reputation. Although still under development, we can expect the perpetrators behind these threats to enhance their arsenals to advance their interests.

The recent developments in open source ransomware also highlight the importance of how a multilayered protection can secure enterprise networks from all aspects—gateway, endpoints, network, and servers. Our endpoint solutions can detect KaoTear, POGOTEAR, and FSociety ransomware before they can encrypt crucial files in the system.


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

Related SHA1 hashes:

  • a5f0b838f67e0ca575a3d1b27d4a64dec8fac2fc – RANSOM_CRYPTEAR.SMILA
  • f7a78789197db011b55f53b30d533eb4297d03cd- RANSOM_KAOTEAR.A
  • aee02b10a74c2fdd257d161fd8e03b37878a803f – RANSOM_POGOTEAR.A

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

Read more: New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses

Story added 24. August 2016, content source with full text you can find at link above.