back to article Blundering ransomware uses backdoored crypto, unlock keys spewed

A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware. The unnamed software nasty scrambles users' files on compromised Windows PCs using the AES algorithm. It appends the .locked extension to the ciphered documents before demanding that victims …

  1. EvilGardenGnome

    So much conflict...

    Backdoor. For good. Head explody want much.

    1. Alistair Silver badge
      Windows

      Re: So much conflict...

      @ EGG

      Sadly, in this case a one off affect, but have to hand the fella serious kudos.

      1. EvilGardenGnome

        Re: So much conflict...

        Agreed, completely.

        The head explody desires come from the fact that there will be some numbty that will cite this as a reason that backdoors are good, rather than acknowledging it for the "exception that proves" that it is.

      2. Anonymous Coward
        Anonymous Coward

        Re: So much conflict...

        Before you hand him kudos, how many legitimate uses for this code has he now exposed to attack now?

        And how many private systems has Utku Sen had access to that he shouldn't have had access to! It's not so much clean cut when it's "Turkish Hacker backdoored Crypto..." is it?

        And has anyone actually verified any of this? i.e. that he isn't also the malware provider doing a self promotion? I'm always suspicious when two things coincide,.... i.e. malware Y uses crypto from X, X also happens to analyse malware Y and finds his code.

        1. Sir Runcible Spoon Silver badge
          FAIL

          Legitimate uses...

          there are none.

          "A software developer whose example encryption code"

          Anyone using it is not doing so with his permission, obviously.

          1. Danny 14 Silver badge

            Re: Legitimate uses...

            Or just coding a "try this to get a code" and not releasing the fact that it had a backdoor. That way it merely looks like you have cracked their private key rather than levering another route. Still obfuscation but it would mean the scammers would be in the dark a little longer.

          2. Dan 55 Silver badge

            Re: Legitimate uses...

            "Anyone using it is not doing so with his permission, obviously."

            Next you'll be telling me I can't use Stack Overflow either.

            1. Sir Runcible Spoon Silver badge

              Re: Legitimate uses...

              @dan, are you suggesting that you would be using the Stack Overflow with the blessing of the OS maker?

              Hard to tell what parallel you are trying to draw here :)

              1. Dan Wilkie

                Re: Legitimate uses...

                I think he means Stack Overflow the website ;)

                1. Sir Runcible Spoon Silver badge

                  Re: Legitimate uses...

                  Thanks, that one flew straight through my ears :)

    2. Anonymous Coward
      Anonymous Coward

      Re: So much conflict...

      "Backdoor. For good. Head explody want much.

      It's not necessarily all good. Backdoors are easily removed from source code, especially now that everyone knows there is one there...

      Perhaps instead of writing and publishing nearly-functional code to show how these things work, what would have been wrong with a PDF presentation? That would have been far harder to convert to a nearly workable ransomware.

      Unfavorable Analogy

      What he's done is a like leaving a mostly complete bomb lacking only a battery outside a battery shop with a sign on it saying "hey everyone, this is how a bomb is made, help yourself". And when someone's taken it he's got onto the local radio station and broadcast "it needs two AAs".

      We'd all certainly wonder at the intelligence of someone who did that... There's no point making it that easy for the bad guys.

    3. Dan 55 Silver badge
      Holmes

      Re: So much conflict...

      I don't know, what other ligitimate servers have used this library and does he have access to them with the backdoor?

      If not him, what about others who are probably looking for the backdoor now?

    4. Anonymous Coward
      Anonymous Coward

      Re: So much conflict...

      I also publish relatively weak encryption code. That's because I teach the subject, and the code is deliberately made simple to enable students to obtain a more complete understanding of the _principles_ concerning how it works. You wouldn't use my code for a security system any more than you'd use Minix for a practical production operating system. But that's not the purpose of "proof of principle" simplest possible teaching aids. Removing implementation weaknesses results in more complex code which is more difficult to create and understand. Anyone who uses my teaching purposed code to implement a security system without reading the documentation accompanying it deserves what they get. You can't have more secure systems without enough engineers being educated concerning how security works. If someone used my code to implement easily overcome extortion malware then I'd consider this highly amusing.

  2. Number6

    Emails spreading the pathogen typically arrive with booby-trapped JavaScript attachments.

    So that explains the deluge of zipped JavaScript files in my junk mailbox then. I was planning to go analyse one out of curiosity when I get some spare time. I was guessing that it would probably download and execute some Windows code when run. I did spot the obfuscatoin of URLs on a brief look.

    1. PNGuinn
      FAIL

      deluge of zipped JavaScript files

      Yup, got an email today, pretending to have come come from myself.

      Mmmm ..... "Y'know, I don't remember sending this an hour or so ago to myself when I was driving home ... looks a bit phishy to me ...."

      Turned out to be a blank email with an attachment. Said attachment turned out to be zip file containing something .js

      I was tinted somewhat suspicious.

  3. herman Silver badge

    My guess is it is simple retribution since he didn't get paid.

  4. ecofeco Silver badge
    Gimp

    pwnage

    Some good old fashioned pwnage right there. l33t haxors FAIL!

  5. adnim Silver badge
    Happy

    Sorts out

    the copy/pasters from the coders. I smile.

  6. a_yank_lurker Silver badge

    Karma

    Some good karma going around.

  7. Old Handle

    Next time publish sample ransom server code with a backdoor that reveals the user's identity.

  8. Anonymous Coward
    Anonymous Coward

    Re. ransomfail

    Ironically I attended a presentation on ransomware this week, much useful information was learned.

    Namely never, ever pay them and ensure your backups are 3-2-1 including cold storage which can't be overwritten or changed.

    Tapes are all very well until someone decides to take them home as mememtos because they have failed the self test, resulting in 3 heavies + Fuzz turning up to the old geezer's house because their online backups got trashed by a cascading database fail.

    hint: the data was recovered from that one lonely tape, fortunately saving the business.

  9. nono

    Not the first, unfortunately not the last either...

    Unfortunately that's far from the first ransomware based on eda2, including one trying to teach utku that you don't post a fully functional ransomware online and expect nothing to happen:

    http://www.bleepingcomputer.com/forums/t/603051/magic-ransomware-support-topic-magicexe-executable-and-adds-magic-extension/?p=3918298

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019