Security Researchers Humble Braggadocio Ransomware Developer

A ransomware developer who claimed to be untraceable and impossible to find was humbled by Security Researcher in Poland.

The ransomware first came to spotlight couple of days back by Malekal Morte, a security researcher. He discovered that the malware was being spread through a YouTube video advertising a Far Cry Primal crack by the ransomware developer.

eda2-open-source-ransomware-code-used-in-real-life-attacks-499330-2

There was a link to the Far Cry crack in YouTube descriptions, which contained the ransomware. Once executed, the threat would encrypt user’s files using AES encryption, append the “locked” extension to all encrypted files, and then ask for a payment of 0.5 Bitcoin (~$200 / ~€180).

Annoying ransom note made security researchers furious

It’s a usual ransomware conduct where files are encrypted and money is extorted, but what made the security researchers annoyed was the ransom note left on all infected computers. In his note, ransomware developer tried to shame victims, explain his behavior, and boasted that he’s never going to get caught. This resulted in multiple researcher to join hands together to analyze the ransomware strain.

Soon it was discovered that the open source EDA2 project was use to build the ransomware by the “all so perfect” and “do no wrong” developer which came out to be his biggest mistake.

EDA2 is an opensource ransomware project which was hosted on GitHub for few months between 2015 and 2016. A huge scandal broke about it at the start of the year and may be the Polish ransomware developer didn’t know about.

The reason we think so is because in that very scandal, it was learnt that the developer of EDA2 left an intentional backdoor in the ransomware’s C&C server code.

Thereafter, it was just a matter of contacting Utku Sen, EDA2’s author and use his backdoor to access the crook’s servers and steal all the ransomware encryption keys that were used to lock up user files.

The decrypted keys have been made available via a Dropbox File by Mr. Sen. For more information on the issue, user can post on this Bleeping Computer forum thread.

All in all there are 656 decryption keys in the Dropbox file, meaning the same number of affected users, and only three users paid the ransom, according to the Bitcoin wallet stats associated with this campaign.

In the end, Security researchers felt pretty happy about their effort to humble the self-proclaimed and pompous ransomware developer.

The threat

The Response