Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software Open Source

Malware Operator Barters With Security Researcher To Remove Open Source Ransomware Code (softpedia.com) 34

An anonymous reader writes: The author of the Magic ransomware strain has agreed to release all decryption keys for free if Utku Sen, a Turkish security researcher, takes down his Hidden Tear open-source ransomware project from GitHub. Sen has released multiple open source ransomware projects, which contained backdoors and encryption flaws. The flaws disrupted the plans of several ransomware operators. This particular ransomware author is Russian, while Sen is Turkish, so just like Putin and Erdogan, the two struggled to come to an agreement. Utku Sen finally agreed to take down the Hidden Tear repository in three days, while the author of the Magic ransomware will provide all the encryption keys for free for the next 15 days.
This discussion has been archived. No new comments can be posted.

Malware Operator Barters With Security Researcher To Remove Open Source Ransomware Code

Comments Filter:
  • by gurps_npc ( 621217 ) on Tuesday January 26, 2016 @05:29PM (#51377575) Homepage
    Just agree to take it down if they pay $10 million, US.

    And then not take it down after they pay.

    What are the going to do? Sue?

  • Pull it down, get the keys, put it back up... and the ransom author is screwt.

    • by Anonymous Coward
      You know what? It doesn't matter. I'm willing to bet that there are hundreds of Hidden Tear clones on the Darknet. This is a bitchslap party between a Russian and a Turkish guy.... these two countries have hated each other since the 1700s when they started battling each other for influence in the Balkans. And after the recent jet crash disaster, they'll hate each other for a couple of more years again.
      • It wasn't a jet crash, it was Russia deliberately ignoring repeated warnings their jet was about to enter Turkish airspace and Turkey doing what they said they would.

        It is also interesting to note how certain Russia was they never entered Turkish air space and had the jet black box data to prove it, right up until the chips in the black box were, unsurprisingly, damaged and their data unrecoverable.

        • by jabuzz ( 182671 )

          There is also the NATO radar logs which prove that the plane entered Turkish air space. There is not a hope in hell that Turkey would have had full NATO backing for their actions if that data did not exist.

          Unfortunately the great hopes of 25 years ago are all coming crashing down. Russian's and in particular Putin are suffering from what I call "Pershing Syndrome", that is they don't believe they lost the cold war and we will have to do it all over again.

      • by nomad63 ( 686331 )
        Yet Lenin was the one who gave about 40000 rifles and ammunition and about 200 kilograms of gold to finance the Kuva-i Milliye, the militia fighting, what was later, going to be called as Turkish Liberation War, against the mostly British, French and Greek armed forces. People making such assertions as "they hate each other since such and such time" should at least know the history a little. The reason why Russia and Turkiye is now at this impasse was because the Puppet Turkish president, with the hopes of
      • by hey! ( 33014 )

        This is a bitchslap party between a Russian and a Turkish guy.... these two countries have hated each other since the 1700s when they started battling each other for influence in the Balkans. And after the recent jet crash disaster, they'll hate each other for a couple of more years again.

        Some people I guess are just a waste of perfectly good protoplasm. Extorting money I can understand, although I don't agree with it. But life is way too short; there's something pathetic about people who can't think of better things to do with theirs than rehash some conflict from centuries before they were born.

    • by Cito ( 1725214 )

      here ya go:

      http://pastebin.com/8JjSQyhP [pastebin.com]

      Enjoy

  • by moosehooey ( 953907 ) on Tuesday January 26, 2016 @05:44PM (#51377687)

    I've seen all the stuff people wish to happen to spammers. But I think ransomware operators are worse, and need to be strung up by the fucking balls.

    • by alvinrod ( 889928 ) on Tuesday January 26, 2016 @06:00PM (#51377773)

      But I think ransomware operators are worse, and need to be strung up by the fucking balls.

      It's this kind of sexism that keeps women out of the Russian ransomware field.

      • by Daetrin ( 576516 )

        But I think ransomware operators are worse, and need to be strung up by the fucking balls.

        It's this kind of sexism that keeps women out of the Russian ransomware field.

        Actually, if this punishment was successfully implemented then very soon i expect there would be _only_ women in the Russian ransomware field.

  • there are 338 forks on github (not to mention other copies floating around), it's not going anywhere.

    although I hope that pointing out the obvious doesn't scuttle the deal

  • Totally in awe (Score:5, Informative)

    by Okian Warrior ( 537106 ) on Tuesday January 26, 2016 @06:18PM (#51377893) Homepage Journal

    The first project he created was named Hidden Tear, and malware operators used it to create the Cryptear.B ransomware family. Unfortunately for the malware operators, the ransomware's encryption contained an encryption flaw, left intentionally by Utku in its source code, which allowed him and other security researchers to help victims decrypt their locked files without paying the ransom.

    The second project was the EDA2 ransomware, which didn't contain an encryption backdoor, but came with a fully-working C&C server admin panel, which contained a backdoor account.

    This second project was used for the Magic ransomware family. The problem is that the operator of this ransomware campaign decided to host the C&C server admin panel on a free hosting provider's infrastructure. Once the hosting provider discovered what the malware operator was up to, it shut down and deleted his account, inadvertently deleting the database with all the encryption keys.

    Utku Sen publicly apologized for this incident, and then removed the EDA2 ransomware project from GitHub, but with no doubt, the project is still shared via underground forums and black markets.

    So this guy made an open source ransomware project on GitHub with intentional backdoors, which was then downloaded and used, and security researchers then used the backdoors to thwart the ransomers?

    I am totally in awe of this person. Bravo!

    • by TheCarp ( 96830 )

      tbh, I hit comments to basically say what you did.

      This is a true hack deserving of the most venerable and Holy use of the term. I don my hat as Discordian Pope to call forth the name of Saint Utku Sen, Poisoner of Rats.

      I am cloning the repo myself the moment I finish typing this. This is wonderful, I hope he "pays" the ransom. I hope him "paying" the ransom ends up everywhere. I hope CNN carries the fucking story and does a 20 minute piece on it.

      Only good can come of this....Ransomware Authors are now getti

    • Just goes to show how lazy some people in the tech community are. Copy/Paste...in this case technology + psychology. Cute/Clever way to ferret out those fledgling blackmailers. (wonder how many people who visited/downloaded from that project are being investigated...and how many of them bothered to hid their IPs before visting..)
  • They do know that the source control on GitHub is designed to be distributed? Taking it down there won't by any means stop its ability to remain version controlled...

  • by dark_requiem ( 806308 ) on Tuesday January 26, 2016 @08:51PM (#51378743)
    What in the world could be the point of this? Suppose the deal goes through as described. From the security researcher's perspective, the code is already in the wild, downloaded repeatedly. Could easily be forked to a new project, hosted by someone else, etc. It will be back up and online the moment he takes it down. From the malware author's perspective, if he gives up all the existing keys, he loses his current "market", but he can just change the keys, and redeploy his malware. So, the malware author gains nothing because the project will undoubtedly remain online. The security researcher gains nothing, since the malware author can just deploy a new version with different keys. So, the exchange does nothing but generate headlines. Nothing else accomplished.
    • Well, we get to mock an idiot criminal (which, to be fair, is the most common kind) who used somebody else's intentionally-backdoored code in an attempt to extort money out of people. That's some high-grade stupid right there...

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...