back to article Ransomware blueprints published on GitHub in the name of education

Turkish security bod Utku Sen has published what appears to be the first openly available source code for ransomware – free for people to use and spread. The "Hidden Tear" ransomware, available to GitHub, is a functional version of the malware the world has come to hate; it uses AES encryption to lock down files and can …

  1. Steven Roper

    Gutter scum

    Anyone caught using ransomware deserves to be slowly tortured to death, preferably by methods involving the use of a rusty hacksaw blade and a drum of battery acid. These fuckers are the scum of the Earth, and if I were ever to get my hands on one I would gladly serve some hard time for what I'd do to the bastard.

    1. This post has been deleted by a moderator

      1. This post has been deleted by its author

      2. Steven Roper

        Re: Gutter scum

        And how old are you, Anonymous Gutless Twat, 8?

        1. This post has been deleted by a moderator

  2. Anonymous Coward
    Anonymous Coward

    lines of code

    "Github moderators will no doubt evaluate that claim. The site has not, at the time of writing, killed off the repository which may skirt the edges of its terms of service."

    It's just code, bro.

  3. Mark 85 Silver badge

    So his purpose was...???

    I fail to see the purpose unless it's educating script kiddies. Being "open source" will allow someone or a group of someones to improve it. This just doesn't appear to be a good thing.

    1. Pascal Monett Silver badge

      Well I hope it'll still be up by the time I get to a PC where I can download it.

      I'm interested in finally getting a look see at a part of what I've been fighting against for the past twenty years (on and off, every time someone I know brought me a PC to clean).

      If I can learn what they do, maybe I can better make people around me understand that THEY SHOULD STOP CLICKING ON BLOODY EVERYTHING.

      1. mythicalduck

        I'm interested in finally getting a look see at a part of what I've been fighting against for the past twenty years

        Have you never used an encryption library?

        Literally, there's nothing more complicated than:

        1. Generate a "password"

        2. Recurse through all the drives on a computer looking for *.do*, *.xl*, *.jp*

        3. Encrypt all files found using the password

        4. Post off the password and some computer ID to a webserver you control

        The hardest part about this is having a server that can't easily be tracked

      2. VinceH
        Unhappy

        "If I can learn what they do, maybe I can better make people around me understand that THEY SHOULD STOP CLICKING ON BLOODY EVERYTHING."

        Good luck with that.

  4. Anonymous Coward
    Anonymous Coward

    Shouldn't be up.

    But I have downloaded it for a look see... I can understand the encypting to a point. I get lost at where they encrypt each file with a different key, but only one is referred back to the website, ie one will unlock it all for you.

    I'm sure it's something simple that I'm misunderstanding. Why am I interested? I don't trust documents in the cloud, and the ransomware people have got the encryption happening BAAD!

    I don't condone this type of thing, and hope it gets taken down, but for some it could be helpful.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shouldn't be up.

      You downloaded evil code and that makes you a bad person. Every line of code you read radicalized you by helping you understand the terror technique known as encryption.

    2. David Roberts Silver badge

      Re: Shouldn't be up.

      I expect it is because if you encrypt a vast number of known files with the same key then it becomes easier to analyse and recover that key.

      So you encrypt each file with a unique key, then encrypt the table of files and keys with another key which you then ship off to the server.

      Also less network traffic.

      1. Michael Wojcik Silver badge

        Re: Shouldn't be up.

        I expect it is because if you encrypt a vast number of known files with the same key then it becomes easier to analyse and recover that key.

        A "vast number of known files"? How many files does the typical victim have? You know of a known-plaintext attack against AES? And one that works with, what, a few hundred GB of data?

        If the encryption is any good, then no, it does not become easier to recover the key - unless you happen to be in the possession of an unpublished and remarkably valuable attack against a modern symmetric cipher, in which case you presumably know enough to secure your systems against infection by ransomware in the first place.

        So you encrypt each file with a unique key, then encrypt the table of files and keys with another key which you then ship off to the server.

        Even if this were necessary (or useful), there's no need to generate a new completely independent key for each file and then send a whole list of them back to the server. This protocol is just as secure:

        1. Let H be a cryptographic hash function with an output at least as long as the encryption algorithm's key length.

        2. Generate random initial key K0 which is sent to the server.

        3. Encrypt the first file with K0.

        4. Subsequent keys are generated with Ki+1 = H(Ki). If necessary a padding function such as PKCS#7 padding can be used to extend the input to H.

        The ransomware ... administrator? bandit? ... can generate the same series of Kn, since he has K0 and knows what H was used. Assuming H has no known weaknesses, each Ki is equally strong. Even if, say, 10000 files are encrypted, it's not very expensive to try on average 2500 keys1 to decrypt the first block of a file and see if it looks right2, for a total of 25 million decryption operations for key-identification purposes.

        I've never looked into ransomware in any detail. If I were writing it, I certainly wouldn't bother with this pointless multiple-key scheme; but if for some reason I did, I wouldn't generate an independent key for each file. That's just silly.

        1For the first file, you have to try on average 5000 keys to find the right one out of the 10000. For the last file, you only have one key left, because when you find a correct key you discard it after decrypting the file (each key was only used once). So the average is 2500 keys per file across all the files.

        2Assuming that the ransomeware in question only encrypts files of a type it recognizes, and that most or all of these can be identified using bytes in the first block. Maybe we have to try a few false-positive keys or decrypt a couple blocks; that doesn't significantly increase the cost. And the cost is borne by the victim anyway, so why would the attacker care?

  5. David Roberts Silver badge
    Coat

    Personal ransomware?

    If you are concerned that you may be asked for the encryption key for your pr0n stash by the authorities , you could always infect your PC with ransomware so that when it boots you can claim you have just been hacked and have no idea how to recover your data.

    Hmmm....ransomware as a service?

    Have a 3rd party encrypt your PC before you travel then pay them to decrypt it afterwards?

    [Don't try this at home, children.]

    Mine's the crusty brown one with a copy of Debbie Does Dallas in the pocket.

    1. Michael Wojcik Silver badge

      Re: Personal ransomware?

      Have a 3rd party encrypt your PC before you travel then pay them to decrypt it afterwards?

      Bruce Schneier suggested this protocol to protect hard-drive contents from rapacious Customs agents.

      In his version, you encrypt the drive, put the key on a USB drive, and mail that to a contact in the country you're traveling to. You make sure that you don't have a copy of the key, so that when questioned you can truthfully say you can't decrypt the drive. (I don't have a link handy - I think this appeared in his blog and his CRYPTO-GRAM newsletter.)

      Of course, as Randall Munroe has pointed out, authorities tend not to let you get away with this sort of life hack. And that's particularly true, at least for US borders, where following the letter of the law seems to carry little weight with Customs.

  6. Anonymous Coward
    Anonymous Coward

    Just a thought...

    ... but having looked over the code available on github, I question this guys supposed skillset.

    The code will create quite a mess, and does indeed do what is claimed, but is certainly not very good at it. Despite the fact that I have never written an app with this specific outcome, I have done all the component parts, and actively use most of them in my daily job. Also, looking at his site, he seems to be quite open about his accomplishments, none of which are that impressive either.

    I've never been hit with any kind of ransomware, but am oddly curious now about the actual level of damage inflicted given that the code I have now seen makes it simple to recover from.

    Anonymous, because I know not to push my luck.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just a thought...

      I have seen two hits by ransomware. The code was a simple for god sake don't click exe! It simply scanned through the directories and encrypted each in turn dumping its advertising that you have been hit as simple html files.

      Now of these on was trampled by antivirus, but not before it had encypted 1/2 a dozen directories in my documents.

      The other completed the whole system.

      There is no finesse,... No finely crafted tricks in hiding, just a blatant smash and encode, and it works?!? WTF!!!

      1. Michael Wojcik Silver badge

        Re: Just a thought...

        There is no finesse,... No finely crafted tricks in hiding, just a blatant smash and encode, and it works?!?

        I'm not at all surprised. What finesse would be needed? The user ran a program to encrypt a bunch of files. On a Windows system, it's basically the same as running "cipher /e /s *", except using a third-party program rather than the built-in EFS utility cipher.exe. Or similarly with gpg or whatever tool you like.

        Now, in the particular case of ransomware, the user foolishly ran an encryption "utility" that ships the key off to someone who can extort the user, rather than giving it to the user. But that's just a minor tweak to the User Interaction Model.

        As I understand it, some ransomware is more sophisticated. It sits in the system for some time, silently decrypting the files it's encrypted on the fly, so that you don't know it's there - long enough to have had a reasonable chance of encrypting your backups as well. Then it springs the trap. That's a bit of subtlety (and a reason why you should verify backups from a different system). But that's clearly aiming at something a bit higher than the low-hanging fruit.

  7. Hilmi Al-kindy

    This is the first time I ever saw a moderated comment on here!

    1. Michael Wojcik Silver badge

      It's my understanding that they'll show it again if the author pays up.

    2. Fitz_

      Maybe they said something positive about Apple.

  8. Anonymous Coward
    Anonymous Coward

    I don't see the big deal here

    It's just code, and it's nothing unique nor technically challenging.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021