By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Surface Laptop and Surface Pro are now available
    12 months ago
    Emotet’s Uncommon Approach of Masking IP Addresses
    10 months ago
    Scam e-mails from “cloud-mining platform”
    6 months ago
    Latest News
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
    4 days ago
    Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
    5 days ago
    Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
    6 days ago
    Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro released and the 128 GB version already sold out at the online Microsoft Store [Updated]
    12 months ago
    Windows 11 build 22622.590 (KB5017846) outs in the Beta Channel
    12 months ago
    How to protect computer from virus and hackers on Windows 11
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    7 months ago
    Now you can speed up any video in your browser
    7 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    8 months ago
  • How To
    How ToShow More
    Welcome to Birthday Week 2023
    Welcome to Birthday Week 2023
    18 hours ago
    A new wave of innovation with Edge, your AI-powered browser
    2 days ago
    Curator can help you with PC Game Pass picks
    2 days ago
    Cloudflare Email Security now works with CrowdStrike Falcon LogScale
    Cloudflare Email Security now works with CrowdStrike Falcon LogScale
    4 days ago
    New! Rate Limiting analytics and throttling
    New! Rate Limiting analytics and throttling
    6 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to find out what games your computer is pulling?
    11 months ago
    Winamp Skin Museum
    11 months ago
    How to view saved password in Safari on iPhone and iPad?
    11 months ago
    Latest News
    How to use image layers on Paint for Windows 11
    5 days ago
    How to disable Copilot on Windows 11 (completely)
    1 week ago
    How to blur image background in Photos for Windows 11
    1 week ago
    How to hide text from screenshots on Snipping Tool for Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Ded Cryptor: Greedy ransomware with open-source roots
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
ThreatsWordpress Threats

Ded Cryptor: Greedy ransomware with open-source roots

Vitus White
Last updated: 13 October
Vitus White 4 years ago
Share
8 Min Read

Recently, English- and Russian-speaking people were attacked with a new ransomware Trojan called Ded Cryptor. It’s voracious, demanding a whopping 2 bitcoins (about $1,300) as ransom. Unfortunately, no decryption solution is available to restore files held hostage by Ded Cryptor.

Contents
Ransomware for all!You made the ransomware, now pay the ransom!How Ded Cryptor emerged

When a computer is infected with Ded Cryptor, the malware changes the system wallpaper to a picture of an evil-looking Santa Claus. A scary image and a ransom demand — sounds like any other ransomware, right? But Ded Cryptor has a really interesting origin story, kind of a thriller, with good and bad guys battling it out, making mistakes, and facing consequences.

Ded Cryptor: Greedy ransomware with open-source roots

Ransomware for all!

It all started when Utku Sen, a security expert from Turkey, created a piece of ransomware and published the code online. Anybody could download it from GitHub, an open and free Web resource that developers use for collaborating on projects (the code was later removed; you’ll see why in a bit).

It was a rather revolutionary idea, making source code freely available to criminals, who would undoubtedly use it to make their own cryptors (and so they did). However, Sen, a white hat hacker, felt certain that every cybersecurity expert needs to understand how cybercriminals think — and how they code. He believed his unusual approach would help the good guys to oppose the bad guys more efficiently.

An earlier project, the Hidden Tear ransomware project, was also part of Sen’s experiment. From the very beginning, Sen’s work was meant for purposes of education and research. With time, he developed a new type of ransomware that could work offline. Later, EDA2 — a more powerful model — emerged.

EDA2 had better asymmetric encryption than Hidden Tear did. It also could communicate with a full-fledged command-and-control server, and it encrypted the key it transferred there. It also displayed a scary picture to the victim.

Ded Cryptor: Greedy ransomware with open-source roots

EDA2’s source code was also published on GitHub, which brought a lot of attention and criticism to Utku Sen — and not for nothing. With the source code freely available, wannabe cybercriminals who hadn’t even learned to code properly could use Sen’s open-source ransomware to relieve people of their money. Didn’t he understand that?

He did: Sen had inserted backdoors in his ransomware that enabled him to retrieve decryption keys. That means if he heard about his ransomware being exploited for malicious purposes, he could obtain the command-and-control server’s URL to extract the keys and give them to the victims. There was a problem, however. To decrypt their files, the victims needed to know about the white hat hacker and ask him for the keys. The vast majority of victims had never even heard of Utku Sen.

You made the ransomware, now pay the ransom!

Of course, third-party encryptors created with Hidden Tear and EDA2 source code were not long in coming. Sen dealt with the first one more or less successfully: He published the key and waited for victims to find it. But things did not go so well with the second cryptor.

Magic, ransomware that was based on EDA2, looked just like the original and promised to be nothing of interest. When Sen was informed about it, he tried to extract the decryption key as he had done before (through the backdoor) — but there was no way in. The cybercriminals using Magic had chosen a free host for their command-and-control server. When the hosting provider received complaints regarding the malicious activity, it simply deleted the criminals’ account and all of their files. Any chance of getting the encryption keys disappeared with the data.

The story doesn’t end there. The creators of Magic reached out to Utku Sen, and their conversation developed into a long and public discussion. They began by offering to publish the decryption key if Sen agreed to remove the EDA2 source code from the public domain and pay them 3 bitcoins. In time, both parties agreed to leave ransom out of the deal.

The negotiations turned out to be rather interesting: Readers learned about the hackers’ political motivation — and that they almost published the key when they heard from a man who lost all photos of his newborn son because of Magic.

In the end, Sen removed the EDA2 and Hidden Tear source code from GitHub, but he was too late; many people had already downloaded it. On February 2, 2016 Kaspersky Lab expert Jornt van der Wiel noted in an article on SecureList that there were 24 encryptors based on Hidden Tear and EDA2 in the wild. Since then the number has only increased.

How Ded Cryptor emerged

Ded Cryptor is one of those descendants. It uses EDA2 source code, but its command-and-control server is hosted in Tor for better security and anonymity. The ransomware communicates with the server over the tor2web service, which lets programs use Tor without a Tor browser.

In a way, Ded Cryptor, created from various pieces of open code published on GitHub, recalls Frankenstein’s monster. The creators borrowed code for the proxy server from another GitHub developer; and the code for sending requests was initially written by a third developer. An unusual aspect of the ransomware is that it doesn’t send requests to the server directly. Instead, it sets up a proxy server on the infected PC and uses that.

As far as we can tell, the Ded Cryptor developers are Russian speaking. First, the ransom note exists only in English and Russian. Second, Kaspersky Lab senior malware analyst Fedor Sinitsyn analyzed the ransomware code and found the file path C:UserssergeyDesktopдоделатьeda2-mastereda2eda2binReleaseOutputTrojanSkan.pdb. (By the way, the aforementioned Magic ransomware was also developed by Russian-speaking people.)

Unfortunately, little is known about how DedCryptor spreads. According to the Kaspersky Security Network, the EDA2-based ransomware is active mostly in Russia. Next come China, Germany, Vietnam, and India.

Ded Cryptor: Greedy ransomware with open-source roots

Also unfortunately, there is no available way to decrypt files maimed by Ded Cryptor. Victims can try to recover the data from shadow copies the operating system may have made. But the best protection is proactive — it’s much easier to prevent infection than deal with consequences.

Kaspersky Internet Security detects all Trojans based on Hidden Tear and EDA2 and warns users when it encounters Trojan-Ransom.MSIL.Tear. It also blocks ransomware operations and does not allow them to encrypt files.

Kaspersky Total Security does all that plus automates backups, which can be useful in all sorts of cases, from ransomware infection to sudden hard-drive death.


Source: kaspersky.com

Translate this article

TAGGED: Encryption, Malware, Proxy server, RC4, Security, Software, Source code, Targeted Attack, Threats, Transport Layer Security
Vitus White October 13, 2022 September 30, 2019
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Welcome to Birthday Week 2023
Welcome to Birthday Week 2023
Apps 18 hours ago
A new wave of innovation with Edge, your AI-powered browser
Windows 2 days ago
Curator can help you with PC Game Pass picks
Windows 2 days ago
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Apps 4 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordpress Threats 4 days ago

You Might Also Like

Welcome to Birthday Week 2023
Apps

Welcome to Birthday Week 2023

18 hours ago
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Apps

Cloudflare Email Security now works with CrowdStrike Falcon LogScale

4 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)

4 days ago
Threats

Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog

5 days ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
Critical Vulnerability in Forminator Plugin
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
PHP Object Injection Vulnerability in Flatsome Theme
How to download Windows 11 22H2 ISO after 23H2 releases
Previous Next

10 New Stories

Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
How to use image layers on Paint for Windows 11
New! Rate Limiting analytics and throttling
Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion
Privilege Escalation Vulnerability in Essential Addons for Elementor
Previous Next
Hot News
Welcome to Birthday Week 2023
A new wave of innovation with Edge, your AI-powered browser
Curator can help you with PC Game Pass picks
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?