February 8, 2016 By Douglas Bonderud 2 min read

File this under “hardly surprising”: The educational, open-source ransomware created by Turkish security researcher Utku Sen has been spun off into 24 not-so-friendly variants including Magic, Linux.Encoder and Cryptear.B. While Sen was recently blackmailed into taking his Hidden Tear ransomware and follow-up project EDA2 off GitHub, this hasn’t stopped the spread of new iterations. Here’s a quick overview.

Hidden Tear Ransomware: Just Trying to Help?

As noted by SecurityWeek, Sen created his ransomware with a number of key flaws and limitations; for example, Hidden Tear would only encrypt files in a \test directory and wouldn’t work if the directory didn’t exist. Fundamental issues with encryption, meanwhile, meant that even malicious adaptations were no match for standard remediation techniques. But here’s the thing: Researchers from Kaspersky asserted that the InfoSec community already had a host of ransomware samples and didn’t really need an educational resource to help their learning curve.

SC Magazine pointed to the emergence of Hidden Tear ransomware variants and other open-source code as harbingers of “cheap and nasty ransomware” that attackers can pull from multiple sources, quickly adopt and then abandon when things go awry. Thankfully, much of it is little more than a nuisance.

For example, the author of Cryptolocker asked victims to email him for ransom demands, while the newly discovered Magic ransomware is demanding just one bitcoin to unlock its AES encryption — though no one has bothered to pay. There are a few more unpleasant varieties, however, such as Trojan-Ransom.MSIL.Tear.n, which encrypts user files but doesn’t bother with an encryption key, making it impossible to recover any data, according to Softpedia.

Open-Source Opportunities

Hidden Tear ransomware isn’t the only emerging open-source problem. As noted by Graham Cluley, a January 2016 malware attack on the Ukrainian electric power industry leveraged an open-source backdoor and caused a number of power outages and service interruptions. And last year, Gizmodo reported on the emergence of open-source bundles such as Tox, which creates a fully functioning — if rough around the edges — ransomware distributor.

The takeaway here? Educational malware isn’t necessary since companies have enough actual ransomware to analyze, and moderately skilled cybercriminals will turn the gift they’ve been offered into actual malware, flaws and all. Combined with other open-source code and prepackaged ransomware bundles, Hidden Tear signifies a market shift — encryption-based malware is quickly becoming an industry unto itself.

While this means more malicious code flooding corporate networks, it also comes with an unexpected bonus: standardization. Cybercriminals almost invariably opt for the cheapest, fastest solution, and right now that means prebuilt and open source.

InfoSec pros and security companies get a leg up because increasing code volume comes means a decrease in originality; finding and exploiting malware flaws becomes a matter of throughput rather than trial and error. Simply put? Poorly made malware means a smaller defensive learning curve.

More from

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today