Ransomware Locks Files, Tosses Key

Tuesday, January 19, 2016 @ 11:01 AM gHale

New ransomware is infecting users and then throwing away the key.

The basis of this new ransomware comes from the open source Hidden Tear that encrypts a victim’s files and then loses the encryption key, which means all files are unrecoverable.

Ransomware Spreads Via Exploit Kit
Attack Tricks Security, Continues Assault
Prison Call Hack an Inside Job
Unsupported ICS: Not an Easy Upgrade

Code hit GitHub last August for a version of ransomware created by security researcher Utku Sen for educational purposes.

This particular ransomware, named Hidden Tear, was a honeypot to fool ransomware authors into using his code instead of creating their own, Sen said on a blog post.

One of the interesting things about Hidden Tear was it contained a crypto flaw that would allow the researcher to decrypt files later on if someone ever used his code.

Trend Micro’s security team said someone did use the code and they created the ransomware strain identified by the company as RANSOM_CRYPTEAR.B.

Between September 15 and December 17, this group hijacked a website from Paraguay, and used it to redirect its users to a fake Adobe Flash look-a-like website that spread a faux Flash Player update.

Users that downloaded this update would see the file launch into execution as soon as it finished downloading, and in a matter of minutes they would end up infected with a crypto-ransomware that encrypted most of their data files.

The bad part was the ransomware’s authors threw away Hidden Tear’s encryption key, never sending it to their C&C servers.

Whether there was a key to unlock the ransomware or not, the authors asked for a Bitcoin payment (around $500) to unlock the system.