Petrovic Posted June 27, 2016 Share Posted June 27, 2016 A new ransomware (eduware?) called EduCrypt was discovered by AVG security researcher Jakub Kroustek that tries to teach its victims a lesson about ransomware. Like other encrypting malware, EduCrypt will encrypt a victim's files, but instead of demanding a ransom, it gives the victim the password for free along with a reprimand. This ransomware is based off of the open source Hidden Tear ransomware and the sample was obfuscated using Confuser. Once I was able to deobfuscate the program, it was clear that it was a very stripped down version of the Hidden Tear ransomware that was designed purely to teach the victim a lesson. It has a limited set of folders that it encrypts, a small amount of targeted file extensions, and does not communicate with a Command & Control server. When started, it will encrypt files located in the following folders: %UserProfile%\Desktop %UserProfile%\Downloads %UserProfile%\Documents %UserProfile%\Pictures %UserProfile%\Music %UserProfile%\Videos When scanning these folders, it will encrypt files that match certain extensions using AES encryption with a static password of HDJ7D-HF54D-8DN7D. When a file is encrypted it will append the .isis extension to the filename. For example, the file test.jpg would be encrypted as test.jpg.isis. The file extension encrypted by EduCrypt are: .txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg When it is finished, it will create a note called README.txt on the victim's desktop. This note provides a link to a decryptor and information on what happened to the victim's files. The hidden file that it references is located at %UserProfile%\Documents\DecryptPassword.txt and contains the password that can be used to decrypt your files. As already stated, this password is HDJ7D-HF54D-8DN7D and is the same for everyone affected by this program. Though EduCrypt provides a link to a Hidden Tear decryptor, I suggest users use the one created by Michael Gillespie as we know that it is trustworthy. This decryptor can be downloaded at the following URL: //download.bleepingcomputer.com/demonslay335/hidden-tear-decrypter.zip. Article source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.