View All R&D Articles

Hidden Tear Ransomware Still Wreaking Havoc

August 30, 2017

A Turkish computer programmer had a simple idea—create functional ransomware with backdoors and offer it for free to educate programmers. If any hackers used the malware to encrypt someone’s files, victims could use the backdoors to restore their data.

The reality ended up being far more complicated. And two years later, variants of Hidden Tear ransomware continue to victimize internet users around the world.

The programmer, Utju Sen, created viable ransomware that he dubbed Hidden Tear.

Hidden Tear Info from GitHub

He explained his rationale for creating the malware shortly after uploading it for public consumption.

Sen said that he wanted computer programming students to see examples of functional ransomware for educational purposes. When he learned about ransomware, there were not actual source-code samples to learn from. He wanted to change that for the next generation.

He had another motivation as well. Sen knew that unskilled hackers could buy ransomware-as-a-service on the dark web and launch attacks with it. Sen’s idea was to offer Hidden Tear for free to anyone who wanted it. He thought he could rid the market of ransomware-as-a-service by offering the same product for free.

Again, he wrote several flaws into the code so that any files encrypted by the malware could be decrypted. Sen thought that unskilled hackers would use his crackable ransomware because it was free; then, victims could decrypt their files using the built-in flaws.

Sen believed he was helping people who would’ve fallen victim to ransomware attacks anyway. If hackers were going to infect computers with ransomware, he reasoned, it may as well be with a crackable strain. Hidden Tear successfully gained a foothold in the crowded malware market, but in the process, Sen lost control of it.

Soon, hackers began closing the backdoors and changing the code.

Sen posted instructions on how to decrypt files affected by Hidden Tear. Researcher Michael Gillespie also created a decryptor for many of the Hidden Tear variants. Unfortunately, some of the variants destroyed files instead of encrypting them. This meant that even with Gillespie’s clever decrypter, victims could not retrieve their files.

Within months of Sen publishing Hidden Tear’s source code in August 2015, security experts identified dozens of variants created from it. Even two years later, new strains continue to victimize innocent people. Christiaan Beek, lead scientist and principal engineer at McAfee, recently tweeted that nearly 30 percent of new ransomware that the antivirus company discovered in June 2017 were based on Hidden Tear.

Sen reluctantly took responsibility for the catastrophe.

Sen himself has admitted that his project was a failure, though he offered several caveats to the admission. He says he partially achieved his goal of making it easier to decrypt victims’ files. Of course, he also made it easier for criminals to encrypt files in the first place.

Sen says another goal was “destroying the business of ransomware code & service sellers.” He claims to have had modest success in hurting the ransomware-as-a-service industry in 2016.

However, with names like BrainLag and Oxar, new ransomware that uses Hidden Tear as a backbone continues popping up on a regular basis. It’s possible that these attacks would still occur even without Sen’s source code, but the programmer made life easier for cybercriminals.

To protect yourself from Hidden Tear variants and other ransomware, practice good internet hygiene. Never click suspicious links or attachments in emails and keep all software up-to-date.

Regularly back up all essential data so that you have options if ransomware affects your computer. Hidden Tear and dozens of other ransomware strains aren’t going away, but you can limit their effect by taking these simple precautions.