Jump to content

The EduCrypt Ransomware tries to teach you a Lesson


Petrovic

Recommended Posts

A new ransomware (eduware?) called EduCrypt was discovered by AVG security researcher Jakub Kroustek that tries to teach its victims a lesson about ransomware. Like other encrypting malware, EduCrypt will encrypt a victim's files, but instead of demanding a ransom, it gives the victim the password for free along with a reprimand. 

 

ransom-note.png

 

This ransomware is based off of the open source Hidden Tear ransomware and the sample was obfuscated using Confuser. Once I was able to deobfuscate the program, it was clear that it was a very stripped down version of the Hidden Tear ransomware that was designed purely to teach the victim a lesson. It has a limited set of folders that it encrypts, a small amount of targeted file extensions, and does not communicate with a Command & Control server.

 

When started, it will encrypt files located in the following folders:

%UserProfile%\Desktop
%UserProfile%\Downloads
%UserProfile%\Documents
%UserProfile%\Pictures
%UserProfile%\Music
%UserProfile%\Videos

When scanning these folders, it will encrypt files that match certain extensions using AES encryption with a static password of HDJ7D-HF54D-8DN7D. When a file is encrypted it will append the .isis extension to the filename. For example, the file test.jpg would be encrypted as test.jpg.isis.

 

The file extension encrypted by EduCrypt are:

.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg

When it is finished, it will create a note called README.txt on the victim's desktop. This note provides a link to a decryptor and information on what happened to the victim's files.  The hidden file that it references is located at %UserProfile%\Documents\DecryptPassword.txt and contains the password that can be used to decrypt your files.

password-file.png

 

As already stated, this password is HDJ7D-HF54D-8DN7D and is the same for everyone affected by this program.

 

Though EduCrypt provides a link to a Hidden Tear decryptor, I suggest users use the one created by Michael Gillespie as we know that it is trustworthy. This decryptor can be downloaded at the following URL: //download.bleepingcomputer.com/demonslay335/hidden-tear-decrypter.zip.

Article source

Link to comment
Share on other sites


  • Views 773
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...