Malware Operator Barters With Security Researcher To Remove Open Source Ransomware Code

An anonymous reader writes: The author of the Magic ransomware strain has agreed to release all decryption keys for free if Utku Sen, a Turkish security researcher, takes down his Hidden Tear open-source ransomware project from GitHub. Sen has released multiple open source ransomware projects, which contained backdoors and encryption flaws. The flaws disrupted the plans of several ransomware operators. This particular ransomware author is Russian, while Sen is Turkish, so just like Putin and Erdogan, the two struggled to come to an agreement. Utku Sen finally agreed to take down the Hidden Tear repository in three days, while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.

Charge them

[gurps_npc]

Just agree to take it down if they pay $10 million, US.

And then not take it down after they pay.

What are the going to do? Sue?

Worse than spammers...

[moosehooey]

I've seen all the stuff people wish to happen to spammers. But I think ransomware operators are worse, and need to be strung up by the fucking balls.

Re:Worse than spammers...

[alvinrod]

But I think ransomware operators are worse, and need to be strung up by the fucking balls.

It's this kind of sexism that keeps women out of the Russian ransomware field.

Totally in awe

[Okian+Warrior]

The first project he created was named Hidden Tear, and malware operators used it to create the Cryptear.B ransomware family. Unfortunately for the malware operators, the ransomware's encryption contained an encryption flaw, left intentionally by Utku in its source code, which allowed him and other security researchers to help victims decrypt their locked files without paying the ransom.

The second project was the EDA2 ransomware, which didn't contain an encryption backdoor, but came with a fully-working C&C server admin panel, which contained a backdoor account.

This second project was used for the Magic ransomware family. The problem is that the operator of this ransomware campaign decided to host the C&C server admin panel on a free hosting provider's infrastructure. Once the hosting provider discovered what the malware operator was up to, it shut down and deleted his account, inadvertently deleting the database with all the encryption keys.

Utku Sen publicly apologized for this incident, and then removed the EDA2 ransomware project from GitHub, but with no doubt, the project is still shared via underground forums and black markets.

So this guy made an open source ransomware project on GitHub with intentional backdoors, which was then downloaded and used, and security researchers then used the backdoors to thwart the ransomers?

I am totally in awe of this person. Bravo!

Re:Totally in awe

[TheCarp]

tbh, I hit comments to basically say what you did.

This is a true hack deserving of the most venerable and Holy use of the term. I don my hat as Discordian Pope to call forth the name of Saint Utku Sen, Poisoner of Rats.

I am cloning the repo myself the moment I finish typing this. This is wonderful, I hope he "pays" the ransom. I hope him "paying" the ransom ends up everywhere. I hope CNN carries the fucking story and does a 20 minute piece on it.

Only good can come of this....Ransomware Authors are now getting dick slapped by the very apathy and greedy corner cutting that has had security guys ripping their hair out trying to get people to understand the dangers of.

You mean.... idiot criminals with moderate to no coding skills are going to think they can make this work and are going to try to.... fix the crypto themselves! LOL! OMG this is wonderful. What is your beautiful secure code worth when some fucktart puts out some shit claiming to do the same thing for free? HA! Your secure code is worth dick now because your target audience is greedy fucks who don't even understand how they are fucking themselves.

I bet their profits have gone through the fucking floor since this came out. And the beauty of git is....who gives a shit if the original gets taken down? The Streisand has called the lawyer now.

Re:What's to stop Sen from putting it back up thou

[nomad63]

Yet Lenin was the one who gave about 40000 rifles and ammunition and about 200 kilograms of gold to finance the Kuva-i Milliye, the militia fighting, what was later, going to be called as Turkish Liberation War, against the mostly British, French and Greek armed forces. People making such assertions as "they hate each other since such and such time" should at least know the history a little. The reason why Russia and Turkiye is now at this impasse was because the Puppet Turkish president, with the hopes of evading equivalent of being court-marshaled and defecting to the US, is playing the hand of US administration. Yes there might be an incursion to the Turkish airspace and if so, the Turkish air forces were in their right to down that plane etc but these are not what we, the eternal people, know the real truths about. It is the Kabuki theater play put forward for the masses to believe.

What's the point?

[dark_requiem]

What in the world could be the point of this? Suppose the deal goes through as described. From the security researcher's perspective, the code is already in the wild, downloaded repeatedly. Could easily be forked to a new project, hosted by someone else, etc. It will be back up and online the moment he takes it down. From the malware author's perspective, if he gives up all the existing keys, he loses his current "market", but he can just change the keys, and redeploy his malware. So, the malware author gains nothing because the project will undoubtedly remain online. The security researcher gains nothing, since the malware author can just deploy a new version with different keys. So, the exchange does nothing but generate headlines. Nothing else accomplished.