Hidden Tear Open-Source Ransomware Spawns 24 Other Ransomware Variants


Community Manager
Thread author
Staff Member
Oct 23, 2012
The ransomware variant called Hidden Tear, open-sourced as part of an educational project, was used for at least 24 real-life ransomware strains, as security researchers from Kaspersky have discovered in the past days.

The whole story starts with a Turkish security researcher named Utku Sen, who decided last year to create a few test ransomware families and upload them on GitHub.

Utku Sen and his hobby
At first, the researcher created Hidden Tear, in which he left a hidden encryption flaw. Hidden Tear was later used in the Cryptear.B and Linux.Encoder ransomware families, both of which were cracked by Utku himself and various security firms.

After this happened, ransomware authors moved to abusing EDA2, Utku's second ransomware project. EDA2 didn't include an encryption flaw but came with a PHP backdoor, laced with a backdoor. Despite this, when the whole Magic ransomware debacle happened, this backdoor was useless, and only the malware author's good grace allowed infected victims to recover their files.

To release the encryption keys for free, the author of the Magic ransomware blackmailed Utku and forced him to remove both the EDA2 and Hidden Tear projects from GitHub.

Over 24 Hidden Tear variants detected
Unfortunately, removing the ransomware families from GitHub didn't help at all. Jornt van der Wiel, security researcher from Kaspersky, says that they've found 24 other ransomware families that used some of Hidden Tear's code in their make-up.

One of these families is Trojan-Ransom.MSIL.Tear.c, which was specifically altered to encrypt only files found on the user's desktop.

Another one, Trojan-Ransom.MSIL.Tear.f, also known as KryptoLocker, was asking users to email the ransomware's author for their encryption key and was lying about the type of encryption used to lock the files.

Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h were a little bit more complex because they used C&C (command and control) servers while Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k actually used the same C&C server IP.

There were more, but we won't mention them all since they all contain small updates to the normal Hidden Tear mode of operation.

Some Hidden Tear variants were destroying user files
Some of the few that do stand out are Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, and Trojan-Ransom.MSIL.Tear.q, which encrypted files but forgot to store the encryption key anywhere, effectively losing all the victims' files.

Even worse, all Hidden Tear variants codenamed from Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v used a C&C server located at "example.com," sending encryption keys into thin air, dooming the user's files as well.

The conclusion of all this is that even if security researchers have the best intentions at heart, this will never stop bad guys from abusing their "educational" work.


Level 4
Oct 1, 2015
And I was surprised when I find out uBlock origin is blocking sourceforge.net!:eek: I thought their bad reputation as adware distributor was exaggerated. I just hope kiwix is safe (I'm almost positive it is).
  • Like
Reactions: Der.Reisende


Staff Member
Malware Hunter
Jul 22, 2014
"open-sourced as part of an educational projec"....and then uploaded on github..... NO WAY!

No legal consequences for the researcher?:confused::eek:o_O
  • Like
Reactions: Der.Reisende


Level 85
Honorary Member
Mar 15, 2011
Well such a dangerous research, agree on the final paragraph; sometimes abusive users will use that instrument to formulate more nastier and linked to the original developer.

Better to post a video presentation and samples are to be delivered privately for those who are willing.
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.