Ransomware
New Open Source Ransomware Based on Hidden Tear, EDA2
In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases.
By Francis Antazo, Byron Gelera, Jeanne Jocson, Ardin Maglalang, and Mary Yambao In a span of one to two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which could suggest that they are targeting businesses. Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals. RANSOM_CRYPTEAR.B is one of the many Hidden Tear spinoffs that infect systems when users access a hacked website from Paraguay. Magic ransomware (detected as RANSOM_MEMEKAP.A), based on EDA2, came soon after CRYPTEAR.B’s discovery. One factor that contributed to the proliferation of this ransomware type is the ease and convenience it offers to cybercriminals—they don’t have to be technically skilled to build their own ransomware from scratch. Before the source codes of Hidden Tear and EDA2 were taken down, these were publicly available and cybercriminals only had to modify the code based on their needs. Imitating pop culture and mobile apps KaoTear (detected as RANSOM_KAOTEAR.A), a Hidden Tear-based ransomware, uses the filename kaoTalk.exe and includes KakaoTalk icon to disguise its malicious nature. KakaoTalk is a widely-used messaging app in South Korea with 49.1 million active users globally.
Figure 1. KaoTear’s ransom note
English translation:
Your files have been encrypted. Go to the following address: You can check the information for decryption: http://{BLOCKED}t225dfs5mom.{BLOCKED}n.city Go to the site above. TOR browser is required
Another recent Hidden Tear spinoff is POGOTEAR (detected as RANSOM_POGOTEAR.A) that capitalizes on the success of Pokemon Go. It even employs the filename PokemonGo.exe to lure users into thinking that it is a legitimate file.
Figure 2. POGOTEAR’s ransom note bears the image of Pikachu from the gaming app, Pokemon Go.
Here's a rough translation in English:
Sorry. Encrypting your files have been unintentional. The decoder is send to {BLOCKED} 200 edge following account\n {BLOCKED}@gmail.com.
Figure 3. KaoTear and POGOTEAR have the string “hidden tear” on their form initialization.
On the other hand, FSociety (detected as RANSOM_CRYPTEAR.SMILA) is an EDA2-based ransomware that draws inspiration from the hacker group in the hit TV series, Mr.Robot.
Figure 4. Cybercriminals ride on the popularity of the TV show, Mr. Robot.
A closer look at KaoTear, POGOTEAR, and FSociety Aside from pop culture references, KaoTear, POGOTEAR, and FSociety have other similarities.
For one, they target almost the same file types to encrypt: *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd. Some of these file extensions (such as XML, PHP, and ASPX) are related to web servers.
All three malware also search for SQL and MDB files, which are associated with databases. Based on these target files, it is very likely that businesses are being targeted.
Here are some of the similarities and differences:
| KaoTear | POGOTEAR | FSociety | |
| Extension | 암호화됨 (.encrypted) | .locked | .locked |
| Ransom Note | ReadMe.txt | هام جدا.txt | None |
| Language | Korean | Arabic | English |
| MSIL compiled | Yes | Yes | Yes |
| Encryption Method | AES 256 | AES 256 | AES 256 |
| Propagation Routine | None | Spreads via fixed drives, removable drives, shared folders and mapped network drives | None |
| C&C | None | Connects to hxxp://10[.]25[.]0[.]169 | Sends the key for encrypting files to hxxp://www[.]archem.hol[.]es/savekey[.]php |
POGOTEAR is the only ransomware with propagation mechanism that enables it to spread to removable and mapped network drives. It also creates an administrator-level user that can be hidden from the Windows login screen through this registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionWinlogon\SpecialAccounts\UserList\Hack3r = "0"
With this, cybercriminals can further compromise the infected system and consequently, the network. We observed that POGOTEAR and FSociety may still be under development. One indicator for this is POGOTEAR’s use of a private IP for its command-and-control (C&C) server. Since it uses a private IP, the information sent stays within the organization's network. On the other hand, FSociety searches for a folder named ‘test’ in the %Desktop%. If the said folder is not found, FSociety does not encrypt any files. The risks of open source ransomware The creation of open source ransomware for educational purposes has raised security concerns that call for stricter measures in knowledge sharing. In the case of Hidden Tear and EDA2, the cybercriminals used the public source code as a baseline and modified to pursue their own interests. Another educational ransomware spotted is ShinoLocker (detected as RANSOM_SHINOLOCK.A). Aside from file encryption, it can also uninstall itself and restore files it has encrypted. The developer created it for simulation purposes. As security researchers, we have to thoroughly assess the possible risks and consequences of creating and distributing educational information. If the sharing of source codes or samples is necessary, it is best to distribute these only to targeted credible recipients through secure channels. Before releasing anything to the public, we need to assess its benefits against the potential threats that it can introduce if it goes into the wrong hands. Trend Micro solutions Enterprises and small-medium businesses are viable targets for ransomware attacks. The recently-discovered open source ransomware strains show the possibilities that they can potentially affect organizations—disruption to productivity and operations, including damage to company brand or reputation. Although still under development, we can expect the perpetrators behind these threats to enhance their arsenals to advance their interests. The recent developments in open source ransomware also highlight the importance of how a multilayered protection can secure enterprise networks from all aspects—gateway, endpoints, network, and servers. Our endpoint solutions can detect KaoTear, POGOTEAR, and FSociety ransomware before they can encrypt crucial files in the system.
PROTECTION FOR ENTERPRISES
Email and Gateway Protection
Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.Spear phishing protectionMalware SandboxIP/Web ReputationDocument exploit detection
Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.Ransomware Behavior MonitoringApplication ControlVulnerability ShieldingWeb Security
Network Protection
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Server Protection
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Related SHA1 hashes:
- a5f0b838f67e0ca575a3d1b27d4a64dec8fac2fc - RANSOM_CRYPTEAR.SMILA
- f7a78789197db011b55f53b30d533eb4297d03cd- RANSOM_KAOTEAR.A
- aee02b10a74c2fdd257d161fd8e03b37878a803f - RANSOM_POGOTEAR.A
Updated on September 04, 2016, 11:55 PM (UTC-7) We would like to thank Nyxbone and @demonslay335 for first bringing these threats to light.