Faulty ransomware renders files unrecoverable, even by the attacker

A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims’ files being completely unrecoverable.

Researchers from antivirus vendor Trend Micro recently spotted a new file-encrypting ransomware program distributed as a Flash Player update through a compromised website in Paraguay.

After they analyzed the program’s code, they realized that it was a modification of a proof-of-concept file encryptor application called Hidden Tear that was published on GitHub in August by a Turkish security enthusiast.

Hidden Tear comes with a disclaimer that the code may only be used for education purposes and a warning that people using it as ransomware could go to jail.

Not surprisingly, cybercriminals don’t care much about disclaimers or jail warnings, so it wasn’t long before the code was used to create ransomware programs.

First, some Reddit users pointed out similarities between Hidden Tear and Linux.Encoder, a ransomware program targeting Web servers. The similarities included a flaw in the encryption implementation that made recovering affected files possible without paying the ransom.

After facing understandable criticism for releasing the code, the Hidden Tear author said in a blog post in November that one of his intentions was to create a trap for unskilled cybercriminals and that the flawed encryption was intentional.

True or not, it seems that the code is doing more harm than good.

Called RANSOM_CRYPTEAR.B, the ransomware program distributed from the website in Paraguay is also based on Hidden Tear, but its creator, supposedly a Brazilian hacker, has made a serious error, according to the Trend Micro researchers.

Once executed on a computer, RANSOM_CRYPTEAR.B generates an encryption key and saves it in a file on the computer’s desktop. It then proceeds to encrypt files with certain extensions, including the file where the encryption key is stored, before sending it to the attacker.

This makes it essentially impossible to recover the files, as the key itself gets encrypted, probably by mistake, the Trend Micro researchers said in a blog post.

In other words, users infected with the program will not be able to recover their files in the absence of backups, even if they decide to pay the ransom.

Sharing information about how various threats work is important in order to understand them and to protect users, but releasing sample code publicly is not needed for that goal, the Trend Micro researchers said.