View All R&D Articles

Hidden Tear Ransomware Infection and Decryption Services

June 9, 2017

Hidden Tear ransomware is an open-source malware program published by its developer for educational purposes. Though the author has since taken the source code offline, hackers around the world have already downloaded and redistributed it. Modified and improved variants of the original Hidden Tear have now started to show up around the world.

If a Hidden Tear variant has infected your computer, turn it off, disconnect all media, and call at 1-800-237-4200. Our security experts can advise you on your options and begin the recovery process.

Hidden Tear Ransomware ASCII art

What is Hidden Tear Ransomware and How Does It Work?

Turkish programmer Utku Sen created Hidden Tear ransomware as an educational tool. He wrote a disclaimer on the site where others could download the source code, stating that the program was strictly educational. However, it wasn’t long before modified versions of the ransomware started infecting computers.

Trend Micro has already spotted several improved variants of Hidden Tear that allow victims to more easily pay ransoms. This trend follows the familiar pattern of ready-made malware giving attackers more time to focus on adding user-friendly features to increase payouts.

Notable features of Hidden Tear ransomware include:

  • Open-source code allowed hackers to start with functional malware and improve it in a variety of ways.
  • Often has a more user-friendly interface (e.g. it can leave some files unencrypted or have a FAQ menu about payments).
  • Source code is behind many new variants such as KaoTear, POGOTEAR, and Fsociety.

The diversity of variants shows how big of a head start hackers have when they begin with viable malware. Instead of having to write sophisticated source code, they simply modify existing ransomware and add unique graphics or features. In the case of KaoTear, the attackers opened up an entirely new market by translating the ransom note into Korean and targeting a South Korean messaging app.

How Does Hidden Tear Ransomware Infect My System?

Because there are a variety of attackers distributing Hidden Tear variants, there’s no one particular vector of infection. However, due to its small file size of just 12 KB, attackers can easily hide the malware in an attachment to a phishing email. The POGOTEAR and KaoTear variants are disguised as a Pokemon app and a messaging app, which victims mistake for legitimate software.

Different variants of Hidden Tear target different files for encryption. A variant called May avoids encrypting files in several key directories to leave a computer more functional, presumably to make it easier to pay the ransom through an infected computer. A variant called MoWare targets the Desktop, Personal, MyMusic, and MyPictures folders. Because attackers can easily alter the source code, they can target any number of folders or files.

Can I Disable or Decrypt Hidden Tear Ransomware?

There is a freely available decrypter that works for many Hidden Tear variants. Due to the great variation within the ransomware family, this tool may or may not work for an infected computer. The security specialists at can assist you in determining what plan of action will most quickly restore your files.

If a Hidden Tear variant or other ransomware has infected your computer, call 1-800-237-4200 to speak with a malware expert. We can discuss your options and create a recovery plan to restore your files as soon as possible.