EDA2 Open-Source Ransomware Code Used in Real-Life Attacks

[Exterminator]

Content source

http://news.softpedia.com/news/eda2-open-source-ransomware-code-used-in-real-life-attacks-499330.shtml

Cyber-crooks have used the open-source code of the EDA2 ransomware to create the Magic ransomware strain, which was spotted in real-life attacks against users in the past few days.

This is the second time when this happens, after the open-sourced code of the Hidden Tear ransomware was also deployed in live attacks around two weeks ago via the RANSOM_CRYPTEAR.B ransomware family.

No happy ending for Magic ransomware victims
Creator of both projects is Turkish security researcher Utku Sen, who said that both his projects, Hidden Tear and EDA2 were published only for educational purposes.

For RANSOM_CRYPTEAR.B victims, the story had a happy ending, after Utku Sen revealed that he purposely left an encryption flaw in the ransomware's code, which other security researchers used to help out ransomware victims.

There is no happy ending for Magic ransomware victims, who currently have no way of recovering their files, even if they pay the ransom. More on this later.

How Magic ransomware works
First ransomware victims appeared on Reddit and then the Bleeping Computer tech support forums. There is still no info on how the ransomware infects users, but we known that it adds the .magic extension to the files it encrypts, hence its name.

The encryption algorithm is AES, meaning it uses the same key to encrypt and later decrypt the files. Unfortunately, this encryption key is not stored on the computer but sent to a remote C&C server.

Luckily, the address of this C&C server could be extracted from the ransomware's code. Unfortunately, the C&C servers were hosted on a free hosting service. We say unfortunately because someone reported the ransomware's author account, and most free hosting services do not only suspend users that break their rules, but also delete their data.

Yes, you read that right. All the encryption keys were deleted, which means that nobody can decrypt those files now, not even the ransomware's author.

No encryption backdoor in EDA2 (Magic)
We did mention above that Utku Sen left an encryption flaw in the Hidden Tear project. This did not happen in EDA2. Softpedia contacted the researcher, who was in the process of penning a blog post on this issue, being previously alerted that his EDA2 code made its way into the hands of some criminal gang.

As the researcher revealed, the EDA2 ransomware project did not only come with the actual ransomware's code and instructions on how to customize, but was a complete crime-kit and also included a PHP-based admin panel where all the encryption keys were sent.

Utku thought that this time, he would put a fully-working encryption module in the ransomware, but leave a backdoor in the admin panel, which would allow him to access the database and steal the encryption keys if any malware author would ever think of using his open-source EDA2 project.

Since the C&C servers have been taken down, the backdoor account is now useless. Unless the free hosting provider pulls a rabbit out of a hat and mysteriously finds a backup of the data, all Magic ransomware encrypted files are gone for good.

It appears that open-source ransomware is a terrible idea
"From what I can tell just looking through the code, it is unlikely there will be a way to fix it," says Fabian Wosar, an Emsisoft security researcher who previously managed to crack different ransomware families.

At this moment, the infosec community does not seem to be very appreciative of Utku Sen's decision to open-source his ransomware experiments.

He only published two "educational" ransomware projects, but both were quickly nabbed by malware authors and used for non-educational purposes. Despite his best intentions, his experiment failed in a disastrous way.

"I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof," says Utku about not including an encryption flaw in the source and deciding to go with a backdoor to the admin panel.

"I removed all the files and commits of Eda2 project. Since nobody has discovered the backdoor to Eda2, I won’t reveal it right now. Because we may deal with new Eda2 implementations in future," he also added, "I’m sorry, I failed this time."

 

[Rishi]

As one noted member had said a few days earlier, any kind of malicious code published in the public domain is just asking for trouble, whatever be the reason stated.This is a perfect illustration of such happenings.

 

[kaddy]

I have looked at exploit code and looked at the code to patch against a vulnerability. I understand how important it is to keep such information out of public domain, at the same time knowing how a basic exploit works is crucial. Maybe showing old source code of an old vulnerability that has long since been patched on All affected systems. It's important that we Can see basic calls and code so we can recognize when our sites and servers have been compromised. Knowledge is power; with great power comes great responsibility. Anyone caught using this source code for malicious purposes should be prosecuted to the fullest extent of the law, when it is being put out for education. It is similar to publicly available RA tools. Poison Ivy in itself is not malicious in the hands of a sysadmin managing a corporate network. In the wrong hands, it can be used for very malicious purposes. My teacher in high school, he was the computer lab teacher. He had software that could lock your screen and wouldn't let you use the computer. In the sense of making you pay attention in class is not
malicious. In the wrong hands, say someone else uses that software and forms a illegal botnet with it, it would be malicious. I see the fact it's asking for trouble, but at the same time, these people would eventually commit these crimes anyway whether source code is available or not, albeit they would get caught much quicker. Criminals will be criminals no matter what, we have to adapt our strategies to catch crooks to keep up.

Ransomware is definitely a bad idea to OS though

 

[Exterminator]

The open source educational experiment went bad the first time.However this time it has backfired horribly.
Surely gaining knowledge will help to deal with the enormous amount of malware problems we see today but it cannot be done by making it easier on the criminal.That is exactly what these two open source experiments did.
Shared among those companies that deal with malware everyday and that many of us trust our cyber lives with is not the same as just throwing it out there for all to see.Especially not with detailed instructions.
"I’m sorry, I failed this time." Let's hope there isn't a third time!