![\"Ded](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/07\/06021912\/ded-cryptor-screen-ru.jpg\")
<\/a><\/p>\nRansomware for all!<\/h3>\n
It all started when Utku Sen<\/a>, a security expert from Turkey, created a piece of ransomware and published the code online<\/a>. Anybody could download it from GitHub, an open and free Web resource that developers use for collaborating on projects (the code was later removed; you\u2019ll see why in a bit).<\/p>\n It was a rather revolutionary idea, making source code freely available to criminals, who would undoubtedly use it to make their own cryptors (and so they did). However, Sen, a white hat hacker, felt certain that every cybersecurity expert needs to understand how cybercriminals think \u2014 and how they code. He believed his unusual approach would help the good guys to oppose the bad guys more efficiently.<\/p>\n An earlier project, the Hidden Tear ransomware project, was also part of Sen\u2019s experiment. From the very beginning, Sen\u2019s work was meant for purposes of education and research. With time, he developed a new type of ransomware that could work offline<\/a>. Later, EDA2 \u2014 a more powerful model \u2014 emerged.<\/p>\n EDA2 had better asymmetric encryption than Hidden Tear did. It also could communicate with a full-fledged command-and-control server, and it encrypted the key it transferred there. It also displayed a scary picture to the victim.<\/p>\n EDA2\u2019s source code was also published on GitHub, which brought a lot of attention and criticism to Utku Sen \u2014 and not for nothing. With the source code freely available, wannabe cybercriminals who hadn\u2019t even learned to code properly could use Sen\u2019s open-source ransomware to relieve people of their money. Didn\u2019t he understand that?<\/p>\n He did: Sen had inserted backdoors in his ransomware that enabled him to retrieve decryption keys. That means if he heard about his ransomware being exploited for malicious purposes, he could obtain the command-and-control server\u2019s URL to extract the keys and give them to the victims. There was a problem, however. To decrypt their files, the victims needed to know about the white hat hacker and ask him for the keys. The vast majority of victims had never even heard of Utku Sen.<\/p>\n Of course, third-party encryptors created with Hidden Tear and EDA2 source code were not long in coming. Sen dealt with the first one more or less successfully: He published the key and waited for victims to find it. But things did not go so well with the second cryptor.<\/p>\n Magic, ransomware that was based on EDA2, looked just like the original and promised to be nothing of interest. When Sen was informed about it, he tried to extract the decryption key as he had done before (through the backdoor) \u2014 but there was no way in. The cybercriminals using Magic had chosen a free host for their command-and-control server. When the hosting provider received complaints regarding the malicious activity, it simply deleted the criminals\u2019 account and all of their files. Any chance of getting the encryption keys disappeared with the data.<\/p>\n The story doesn\u2019t end there. The creators of Magic reached out to Utku Sen<\/a>, and their conversation developed into a long and public discussion. They began by offering to publish the decryption key if Sen agreed to remove the EDA2 source code from the public domain and pay them 3 bitcoins. In time, both parties agreed to leave ransom out of the deal.<\/p>\n The negotiations turned out to be rather interesting: Readers learned about the hackers\u2019 political motivation \u2014 and that they almost published the key when they heard from a man who lost all photos of his newborn son because of Magic.<\/p>\n In the end, Sen removed<\/a> the EDA2 and Hidden Tear source code from GitHub, but he was too late; many people had already downloaded it. On February 2, 2016 Kaspersky Lab expert Jornt van der Wiel noted in an article on SecureList<\/a> that there were 24 encryptors based on Hidden Tear and EDA2 in the wild. Since then the number has only increased.<\/p>\n Ded Cryptor is one of those descendants. It uses EDA2 source code, but its command-and-control server is hosted in Tor for better security and anonymity. The ransomware communicates with the server over the tor2web<\/a> service, which lets programs use Tor without a Tor browser.<\/p>\n In a way, Ded Cryptor, created from various pieces of open code published on GitHub, recalls Frankenstein\u2019s monster. The creators borrowed code for the proxy server from another GitHub developer; and the code for sending requests was initially written by a third developer. An unusual aspect of the ransomware is that it doesn\u2019t send requests to the server directly. Instead, it sets up a proxy server on the infected PC and uses that.<\/p>\n As far as we can tell, the Ded Cryptor developers are Russian speaking. First, the ransom note exists only in English and Russian. Second, Kaspersky Lab senior malware analyst Fedor Sinitsyn analyzed the ransomware code and found the file path C:UserssergeyDesktop\u0434\u043e\u0434\u0435\u043b\u0430\u0442\u044c<\/b>eda2-mastereda2eda2binReleaseOutputTrojanSkan.pdb. (By the way, the aforementioned Magic ransomware was also developed by Russian-speaking people.)<\/p>\n Unfortunately, little is known about how DedCryptor spreads. According to the Kaspersky Security Network<\/a>, the EDA2-based ransomware is active mostly in Russia. Next come China, Germany, Vietnam, and India.<\/p>\n Also unfortunately, there is no available way to decrypt files maimed by Ded Cryptor. Victims can try to recover the data from shadow copies<\/a> the operating system may have made. But the best protection is proactive \u2014 it\u2019s much easier to prevent infection than deal with consequences.<\/p>\n\n<\/a><\/p>\nYou made the ransomware, now pay the ransom!<\/h3>\n
How Ded Cryptor emerged <\/h3>\n
<\/a><\/p>\n