FANDOM


HiddenTear is an open-source ransomware project that was initially developed for educational purposes back in 2015 by Turkish researcher Utku Sen. However, cyber criminals such as the Magic ransomware gang did not wait too long to adapt the code and use it for money extortion purposes, by encrypting files with AES-256.

HiddenTear has a modifiable ransomware kit, meaning that even novice black hats / "script kiddies" could use the code. It resulted in a massive outbreak of viruses that are based on HiddenTear code, such as Winsec virusBlackRoseKarmenKampret, Mora Project, EduCrypt, Sorry, ScorpionLocker, to give some examples. The viruses appended a variety of different file extensions (.lock, .cerber, .LoveYou, .Lime, for example, and most are the same extensions that more serious ransomware uses, like Cerber), and prevented victims from accessing them unless they pay for the decryption key.

The ransomware contains a number of flaws, that made every variant decryptable, by using a specific software called "Hidden Tear Decryptor", by Michael Gillespie (link) and "Hidden Tear Bruteforcer" (link) they were mostly put by Utku Sen as way to make the ransomware completely unusable if not re-written completely.

Details

Transmission

Hidden Tear itself has been spread hidden under the fake Skype application called the “skypetool.exe”, This tool can be distributed on malicious websites disguised as a software update, lottery winning announcement or a download button. The malicious file can also access your system through deceptive email attachments in which it may be presented as a piece of invoice information, speeding ticket or other supposedly important documents.

Infection

It infiltrates the system disguised as a legitimate application (in the original version, it was disguised as Adobe PDF file) and blocks access to the user’s files by encrypting them. When it's run, Hidden Tear will generate a sequence of 15 characters, it's used as a key by using the non-cryptographically secure "Random" class; the character sequence is sent to a C&C, with the computer name. The original Hidden Tear will search for the "test" folder in the Desktop, it will encrypt every file on it. For every file, the global key is turned to a SHA256 byte sequence; it's "randomized" by using a fixed salt and then turned into both a byte sequence that represents an AES-256 key and an IV for the AES-256 class, Hidden Tear uses the class "RijndaelManaged". The file is encrypted in its whole. The encrypted files can be recognized from the unusual extension, ".isis" added after the original file names. Then, this malware drops a “ransom” note in the "test" folder, typical of ransomware. This note does not require the victim to pay for the locked files or threaten to delete them if the ransom is not paid in time, in the original Hidden Tear version. Files can be decrypted by using the aforementioned decryptor, for every variant of Hidden Tear, without having contact with the malware authors. The "README.TXT" file features a message, similar to the one below:

Well hello there, seems you have a virus! Well you are going to get the decryptor which is here 
http://www.filedropper(.)com/decrypter_1 Don’t Download Random Sh*t On The Internet A Hidden .txt File 
Has Been Created With The Decrypt Password! Find It!..

Note that the message above is uncensored, and thus contains vulgar words.

Flaws

Hidden Tear is flawed-by-design ransomware, being by itself just a demonstration.

  • Hidden Tear doesn't use a CSPRNG (a cryptographically secure random number generator, like "RNGCryptoServiceProvider") to generate the key, instead, it uses the "Random" class, that generates easily predictable sequences. Also, it uses a fixed list of bytes that the ransomware can derive as AES-256 key, the alphabet, and some special characters when a cryptographically secure key uses every single byte that can be used; thus, it makes brute force possible.
  • Hidden Tear does use the class "Rfc2898DeriveBytes", a class that derives insecure byte sequences, but that requires both random number of iterations and a random salt value. Hidden Tear works by using a fixed salt value and a fixed number of iterations. The key is thus never randomized in this step, never derived into a cryptographically secure key, the same happens with the IV. So, Hidden Tear uses the same predictable byte sequences for the IV and the cryptographically secure key; the class is used for the method "GetBytes", that returns a fixed amount of bytes. Re-using the same IV, due to this method of working is a big flaw for the CBC mode that Hidden Tear uses (link to CWE page).
  • Hidden Tear sends the key in clear text, without using any form of asymmetric cryptography, this is bad practice overall; network loggers can sniff the key out of the network and use it back to decrypt files. It also uses the computer name as an identifier, that is not completely random information (like it would be a truly random character sequence) and computers with the same name can occur frequently.

These flaws affect every Hidden Tear variant.

Variants

  • HiddenTear 2.0: This version of ransomware encrypts files and provides data recovery instructions in "README.TXT" file. The ransom note tells that victims have to use a password in "DecryptPassword.txt" file that has been hidden somewhere in the targeted computer. However, the file is located in My Documents folder.
  • Faizal: This malware spreads as a fake installer package of “Street Racing Club” game which is popular in Southeast Asia. However, ransomware mostly aims at Indonesian computer users. To the encrypted files, it appends ".gembok" file extension. Following data encryption, the virus delivers a ransom note called "PENTING !!!.htm" where cybercriminals ask to send a voucher code of 100.000 Indonesian Rupees to "leprogames777@gmail.com".
  • Kindest: It’s an educational version of Hidden Tear ransomware. Instead of encrypting files, ransomware asks to show a YouTube video about file-encrypting viruses. Once the user finishes watching the video, the malware is supposed to delete itself. 
  • FailedAccess: Also known as "CryptoSomware" virus, this cyber threat appends the ".FailedAccess" file extension and demands to pay the ransom. However, victims of the ransomware can use StupidDecryptor (a decryptor for the Stupid Ransomware, a variant of Hidden Tear that uses a hardcoded IV and key), and restore corrupted files for free.
  • Mordor: The virus uses AES-256 cryptography to damage files on the targeted computers. Once all files have the ".mordor" extension, it opens a ransom note from "READ_ME.html" file. Written in English, Japan, Italian, Chinese, Indian, Portuguese, French and German languages, the ransom note says that victims have to pay 0.07066407 BTC in order to recover the files.
  • Ruby: The virus made by Hayzam Sheriff is designed to append the ".ruby" file extension to each of the targeted data. Once this hazardous task is done, the malware automatically opens a ransom note "rubyLeza.html". However, the author of the virus does not reveal how much Bitcoins victims have to transfer.
  • GruxEr: This variant of HiddenTear uses three executables to run different malicious programs on the affected computer: "TEARS.exe", "WORM.exe", and "GRUXER.exe". Nevertheless, the malware encrypts numerous file of types; the priority is JPG files. Cybercriminals provide data recovery instructions in "READ_IT.TXT" file and run a program window. In order to decrypt corrupted data, victims are asked to pay $250 in Bitcoins.
  • Decryption Assistent: This malware spreads as a fake Adobe Flash Player update. Once the victim installs it, ransomware starts encrypting files and appending the ".pwned" file extension to each of them. Then it runs a program window that includes data recovery instructions and the timer that shows how much time left to pay the ransom.
  • MoWare H.F.D: The significant feature of the ransomware is added file extension (.H_F_D_locked) file extension. Then malware informs about the possibility to obtain decryption software for 0,02 BTC. However, if users do not take this offer within 4 days, the size of the ransom will increase to 0,05 BTC. After transferring the money, victims need to contact hackers via "heyklog@pronmail.com" and send their Bitcoin transaction ID.
  • Crying: This file-encrypting virus enters the system as "ECRYING.exe" file and will encrypt files with AES-256 cryptography. After encryption, all targeted files have ".crying" file extension. It also installs a ransom note called "READ_IT.txt" and runs a program window where authors of Crying malware gives Bitcoin wallet address where victims have to transfer the ransom.
  • R3store: The virus marks targeted files with .r3store file extension that prevents victims from using them. It downloads a ransom note called READ_IT.txt to each folder that includes encrypted data. The ransom-demanding message reveals that data recovery with hackers‘ software costs $450.
  • Resurrection: It encrypts files with AES-256 cipher and adds .(random).resurrection file extension to the targeted data. Once it‘s done, ransomware opens the README.html file in browser‘s window. Here cybercriminals ask to contact them via resurrection777@protonmail.com and transfer 1.77 Bitcoin in order to get a decryption key.
  • Executioner: It’s a Turkish version of Hidden Tear malware. It appends a random file extension to encrypted files and provides ransom payment instructions in .txt and .html files. The Sifre_Cos_Talimat.html informs that victims have to contact attackers executioner.ransom@protonmail.com and send 150 in Bitcoins. 
  • KKK: This malware spreads as an obfuscated Facebook.exe file. Undoubtedly, the file name is tricky and misleading. Once this payload is downloaded to the system, the malware starts data encryption and adds .KKK file extension to targeted files. Then malware runs an “Information” window that provides instructions on how to redeem encrypted files. To get back their files, people have to transfer 0,05 BTC.
  • Beethoven: The virus is designed to encrypt files using a combination of AES and RSA ciphers. It appends .beethoveN extension to each of the targeted file. Once it's done malware delivers ransom payment instructions in the "FILELIST.TXT" file and program window. Victims are supposed to transfer the ransom within 168 hours.
  • CryMore: The hacker named “TMC” was inspired by WannaCry and make a virus whose name resembles the infamous cyber threat. Ransomware uses AES encryption to lock the most popular types of files on the affected computer. In the poorly written ransom note, victims are asked to pay the ransom within 12 hours. Later the demanded sum of money will increase.
  • CryptoGod: During data encryption, the virus adds ".payforunlock" file extension to each of the targeted document, audio, video, image, and other files. The ransom note tells of paying 0.03 BTC for data recovery. The size of the payment will increase up to 0.05 BTC after the provided deadline. After the transaction, victims have to send an email to "cryptogod@airmail.cc".
  • $usyLocker: This variant of HiddenTear is executed from VapeHacksLoader.exe. After infiltration, the malware encrypts data and appends.WINDOWS file extension. In the ransom note called READ_IT.txt criminals inform that victims have to pay 0.16 Bitcoins. This ransomware is infamous for not checking if payments are done and to not actually saving the encryption key, making it a wiper (if it hadn't the Hidden Tear flaws inside itself). (link) 
  • CryForMe: The virus pretends to be related to the infamous WannaCry ransomware. Malware is executed from "CryForMe.exe". On the affected device it starts data encryption procedure immediately. When all targeted files are secured, the malware runs a blue ransom-demanding window. Cybercriminals ask to pay €250 in bitcoins within 7 days time.
  • Mora Project: This variant of Hidden Tear prevents victims from opening their files by appending ".encrypted" file extension. People are suggested to use "The-decrypter.exe" program to recover their files for $40.000.
  • FlatChestWare: This ransomware presents a few interesting features. While the operation mode does not differ much from its previous versions, as it encodes files and appends ".flat" file extension to the affected data, it displays a fake Windows UAC message. After the user opens the "FlatChestWare.exe" file gets executed, the malware will prompt a User Account Message asking the user to restart the system in order for the supposed Windows update to complete successfully. Note that there the genuine Windows Update messages slightly differ. Latest messages do not remind you to save data. Furthermore, in Windows 10 systems such messages do not appear anymore. A similar message appeared due to the bug in 2918614. It seems that the developer – the fan of anime – failed to make the malware a full-fledged malware as this version is decryptable. 
  • Sorry: Detected at the end of March 2018, it's the latest variant based on this open-source ransomware project. Upon successful infiltration, the ransomware runs a task called "John Cena", "schtasks.exe" file, which is responsible for rooting, and releases multiple "cmd.exe" scripts, including the one that commands to remove Volume Shadow Copies through "vssadmin" command. After that, Sorry virus changes the extensions of the most files to ".sorry" and creates a ransom note, in the path "C:\Windows\hrf.txt". It uses AES-256. The victim of the Sorry ransomware is demanded to pay the ransom, which currently ranges from $500 to $1500 in Bitcoins. 
Community content is available under CC-BY-SA unless otherwise noted.