Blundering ransomware uses backdoored crypto, unlock keys spewed

Hahah ... wait, what?

A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware.

The unnamed software nasty scrambles users' files on compromised Windows PCs using the AES algorithm. It appends the .locked extension to the ciphered documents before demanding that victims pay a fee of 0.5 BTC (approximately US$210) to obtain a decryption key.

The ransomware's creator based their primordial malware on EDA2, a toolkit of file-encrypting sample code that demonstrates how ransomware works. Big mistake. The EDA2 author intentionally left a backdoor in his code, and had little hesitation in revealing it to undo the newbie malware slingers, security blogger David Bisson reports:

Utku Sen, the man behind the project, intentionally inserted a backdoor into his code when he first developed EDA2 to make sure he could check potential abuses of his code. It is this backdoor access Sen leveraged in this particular case to obtain a list of decryption keys, which are now available for download.

Ransomware authors have made crypto mistakes before, often quickly returning with malign code that's far harder if not impossible to break. So it's premature to think that this new have-a-go extortionware has been knocked out, even though it's suffered a heavy blow.

Rewriting the code to use a different file encrypting engine will take some heavy lifting, but it would be naive to imagine the unknown crooks behind the scam would see this as a reason to abandon the project. ®

Editor's note: An earlier version of this article suggested the new ransomware is a strain of Locky. However, it appears the malware in question is a prototype or early version of some new software nasty.

Sponsored: Global DDoS threat landscape report