Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Operator Barters With Security Researcher To Remove Open Source Ransomware Code (softpedia.com)

Posted by Soulskill on from the security-research-goes-meta dept.

An anonymous reader writes: The author of the Magic ransomware strain has agreed to release all decryption keys for free if Utku Sen, a Turkish security researcher, takes down his Hidden Tear open-source ransomware project from GitHub. Sen has released multiple open source ransomware projects, which contained backdoors and encryption flaws. The flaws disrupted the plans of several ransomware operators. This particular ransomware author is Russian, while Sen is Turkish, so just like Putin and Erdogan, the two struggled to come to an agreement. Utku Sen finally agreed to take down the Hidden Tear repository in three days, while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.

34 comments

  1. Charge them by gurps_npc · · Score: 2
    Just agree to take it down if they pay $10 million, US.

    And then not take it down after they pay.

    What are the going to do? Sue?

    --
    excitingthingstodo.blogspot.com
    1. Re:Charge them by Anonymous Coward · · Score: 0

      Better

    2. Re:Charge them by Anonymous Coward · · Score: 0

      If the ransomware author is a good blockchain programmer, he could create an Ethereum script to check if the github page is still up. That way both parties trust a decentralized group of miners instead of each other.

  2. What's to stop Sen from putting it back up though? by Anonymous Coward · · Score: 1

    Pull it down, get the keys, put it back up... and the ransom author is screwt.

  3. So.. Mirror it? by Anonymous Coward · · Score: 0

    Whats the big hubub about

  4. Re:What's to stop Sen from putting it back up thou by Anonymous Coward · · Score: 1

    You know what? It doesn't matter. I'm willing to bet that there are hundreds of Hidden Tear clones on the Darknet. This is a bitchslap party between a Russian and a Turkish guy.... these two countries have hated each other since the 1700s when they started battling each other for influence in the Balkans. And after the recent jet crash disaster, they'll hate each other for a couple of more years again.

  5. Worse than spammers... by moosehooey · · Score: 3, Insightful

    I've seen all the stuff people wish to happen to spammers. But I think ransomware operators are worse, and need to be strung up by the fucking balls.

    1. Re:Worse than spammers... by alvinrod · · Score: 5, Funny

      But I think ransomware operators are worse, and need to be strung up by the fucking balls.

      It's this kind of sexism that keeps women out of the Russian ransomware field.

    2. Re:Worse than spammers... by Daetrin · · Score: 1

      But I think ransomware operators are worse, and need to be strung up by the fucking balls.

      It's this kind of sexism that keeps women out of the Russian ransomware field.

      Actually, if this punishment was successfully implemented then very soon i expect there would be _only_ women in the Russian ransomware field.

      --
      This Space Intentionally Left Blank
    3. Re:Worse than spammers... by Anonymous Coward · · Score: 0

      How exactly do you propose to string someone up by their ovaries?

    4. Re:Worse than spammers... by Anonymous Coward · · Score: 0

      very carefully

    5. Re:Worse than spammers... by WallyL · · Score: 1

      and very painfully. Probably meathooks.

  6. go ahead and take it down, there are 338 forks now by Anonymous Coward · · Score: 1

    there are 338 forks on github (not to mention other copies floating around), it's not going anywhere.

    although I hope that pointing out the obvious doesn't scuttle the deal

  7. Github has history by Anonymous Coward · · Score: 0

    You know you really can't take down anything from github? If it's forked, it stays there.

    1. Re:Github has history by Lunix+Nutcase · · Score: 1

      Maybe Russians aren't familiar with Barbra Streisand?

  8. No. by Anonymous Coward · · Score: 0

    No truce with the shadow. No quarter with the Enemy. No peace while they draw breath.

  9. Totally in awe by Okian+Warrior · · Score: 5, Informative

    The first project he created was named Hidden Tear, and malware operators used it to create the Cryptear.B ransomware family. Unfortunately for the malware operators, the ransomware's encryption contained an encryption flaw, left intentionally by Utku in its source code, which allowed him and other security researchers to help victims decrypt their locked files without paying the ransom.

    The second project was the EDA2 ransomware, which didn't contain an encryption backdoor, but came with a fully-working C&C server admin panel, which contained a backdoor account.

    This second project was used for the Magic ransomware family. The problem is that the operator of this ransomware campaign decided to host the C&C server admin panel on a free hosting provider's infrastructure. Once the hosting provider discovered what the malware operator was up to, it shut down and deleted his account, inadvertently deleting the database with all the encryption keys.

    Utku Sen publicly apologized for this incident, and then removed the EDA2 ransomware project from GitHub, but with no doubt, the project is still shared via underground forums and black markets.

    So this guy made an open source ransomware project on GitHub with intentional backdoors, which was then downloaded and used, and security researchers then used the backdoors to thwart the ransomers?

    I am totally in awe of this person. Bravo!

    1. Re:Totally in awe by TheCarp · · Score: 2

      tbh, I hit comments to basically say what you did.

      This is a true hack deserving of the most venerable and Holy use of the term. I don my hat as Discordian Pope to call forth the name of Saint Utku Sen, Poisoner of Rats.

      I am cloning the repo myself the moment I finish typing this. This is wonderful, I hope he "pays" the ransom. I hope him "paying" the ransom ends up everywhere. I hope CNN carries the fucking story and does a 20 minute piece on it.

      Only good can come of this....Ransomware Authors are now getting dick slapped by the very apathy and greedy corner cutting that has had security guys ripping their hair out trying to get people to understand the dangers of.

      You mean.... idiot criminals with moderate to no coding skills are going to think they can make this work and are going to try to.... fix the crypto themselves! LOL! OMG this is wonderful. What is your beautiful secure code worth when some fucktart puts out some shit claiming to do the same thing for free? HA! Your secure code is worth dick now because your target audience is greedy fucks who don't even understand how they are fucking themselves.

      I bet their profits have gone through the fucking floor since this came out. And the beauty of git is....who gives a shit if the original gets taken down? The Streisand has called the lawyer now.

      --
      "I opened my eyes, and everything went dark again"
    2. Re:Totally in awe by Anonymous Coward · · Score: 0

      I couldn't disagree more. I'm sure that some ransomware authors were thwarted by this is great consolation to those whose data was encrypted by the Magic ransomware and now can't be recovered because the encryption keys no longer exist. Although some ransomware authors might have been thwarted, the open source ransomware also caused unrecoverable damage. Even if the keys hadn't been deleted, some victims might have paid the ransomware author anyway. Others could have lost a lot of time because their files were encrypted for a time. Utku Sen apologizing for the incident isn't enough, either. Regardless of his motivations, he's a malware author. He needs to be in prison for what he did, not lauded as a hero. And if you view him that way, you have a warped view of the world.

    3. Re:Totally in awe by Anonymous Coward · · Score: 0

      I am so sure he gave out his help for free. Really he just used the Ransom ware to sell his "backdoor" service.
      He is as much a leach on society as those who downloaded his code.
      Try making something that someone would actually buy to make the world a better place.

    4. Re:Totally in awe by evolutionary · · Score: 1

      Just goes to show how lazy some people in the tech community are. Copy/Paste...in this case technology + psychology. Cute/Clever way to ferret out those fledgling blackmailers. (wonder how many people who visited/downloaded from that project are being investigated...and how many of them bothered to hid their IPs before visting..)

      --
      "Imagination is more important than knowledge" - Einstein
  10. Re:What's to stop Sen from putting it back up thou by smooth+wombat · · Score: 1

    It wasn't a jet crash, it was Russia deliberately ignoring repeated warnings their jet was about to enter Turkish airspace and Turkey doing what they said they would.

    It is also interesting to note how certain Russia was they never entered Turkish air space and had the jet black box data to prove it, right up until the chips in the black box were, unsurprisingly, damaged and their data unrecoverable.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  11. Re:What's to stop Sen from putting it back up thou by nomad63 · · Score: 2

    Yet Lenin was the one who gave about 40000 rifles and ammunition and about 200 kilograms of gold to finance the Kuva-i Milliye, the militia fighting, what was later, going to be called as Turkish Liberation War, against the mostly British, French and Greek armed forces. People making such assertions as "they hate each other since such and such time" should at least know the history a little. The reason why Russia and Turkiye is now at this impasse was because the Puppet Turkish president, with the hopes of evading equivalent of being court-marshaled and defecting to the US, is playing the hand of US administration. Yes there might be an incursion to the Turkish airspace and if so, the Turkish air forces were in their right to down that plane etc but these are not what we, the eternal people, know the real truths about. It is the Kabuki theater play put forward for the masses to believe.

    --

    __________
    The more I know people, the more I love animals
  12. Re: What's to stop Sen from putting it back up tho by Anonymous Coward · · Score: 0

    Let me help you. Your tinfoil hat must have fallen off.

  13. Re:What's to stop Sen from putting it back up thou by hey! · · Score: 1

    This is a bitchslap party between a Russian and a Turkish guy.... these two countries have hated each other since the 1700s when they started battling each other for influence in the Balkans. And after the recent jet crash disaster, they'll hate each other for a couple of more years again.

    Some people I guess are just a waste of perfectly good protoplasm. Extorting money I can understand, although I don't agree with it. But life is way too short; there's something pathetic about people who can't think of better things to do with theirs than rehash some conflict from centuries before they were born.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  14. where do you get ransomware? by Anonymous Coward · · Score: 0

    maybe im watered down or wiser to know to install noscript and adblock but i dont see where these infections come from...people searching for free cat screensavers, opening email atachments...i can remember being in college and curious of viruses using altavista to search for such info and sites in the uni library...there was a site if an animated volcano(iirc) with a scrolling counter of infected..presumably from visiting the site??? this was when dsl was new and cool, yet i couldnget it in my apt due to infrastrucrure issues. isnit spear phishers? darknet wanderers?

  15. Distributed Source Control... by lloy0076 · · Score: 1

    They do know that the source control on GitHub is designed to be distributed? Taking it down there won't by any means stop its ability to remain version controlled...

  16. Re:What's to stop Sen from putting it back up thou by Cito · · Score: 1

    here ya go:

    http://pastebin.com/8JjSQyhP

    Enjoy

  17. What's the point? by dark_requiem · · Score: 2

    What in the world could be the point of this? Suppose the deal goes through as described. From the security researcher's perspective, the code is already in the wild, downloaded repeatedly. Could easily be forked to a new project, hosted by someone else, etc. It will be back up and online the moment he takes it down. From the malware author's perspective, if he gives up all the existing keys, he loses his current "market", but he can just change the keys, and redeploy his malware. So, the malware author gains nothing because the project will undoubtedly remain online. The security researcher gains nothing, since the malware author can just deploy a new version with different keys. So, the exchange does nothing but generate headlines. Nothing else accomplished.

    1. Re:What's the point? by cbhacking · · Score: 1

      Well, we get to mock an idiot criminal (which, to be fair, is the most common kind) who used somebody else's intentionally-backdoored code in an attempt to extort money out of people. That's some high-grade stupid right there...

      --
      There's no place I could be, since I've found Serenity...
  18. Re:What's to stop Sen from putting it back up thou by jabuzz · · Score: 1

    There is also the NATO radar logs which prove that the plane entered Turkish air space. There is not a hope in hell that Turkey would have had full NATO backing for their actions if that data did not exist.

    Unfortunately the great hopes of 25 years ago are all coming crashing down. Russian's and in particular Putin are suffering from what I call "Pershing Syndrome", that is they don't believe they lost the cold war and we will have to do it all over again.

  19. Infect Putin's machine by Anonymous Coward · · Score: 0

    Someone infect Putin's personal computer and let the secret police remove this stain from the population.