Threat Management

New Magic ransomware abuses open-source ‘educational’ code

A newly discovered strain of ransomware called Magic has been built by criminals using open-source ransomware code that was meant to be used solely for ‘educational' purposes.

Magic has been spotted in the wild by computer forensics expert Lawrence Abrams, owner of the Bleeping Computer tech support site.

It is based on the eda2 kit, which was created to teach people about ransomware but which also provides a full ransomware toolkit attractive to low-skilled cyber-criminals.

Magic locks up data using AES encryption, adds the ‘.magic' extension to it and then demands one bitcoin in ransom – though no money has yet been paid. Its developer may currently be distributing it manually through hacked terminal services or remote desktop, Abrams said.

According to his 23 January blog, Magic scans all drives on the infected computer for documents with a range of file extensions, but does not encrypt files in directories that contain the string $, C:Windows or c:program.

Magic's appearance follows Trend Micro's recent exposé of CRYPTEAR.B ransomware, which is based on similar open-source educational code called Hidden Tear.

Trend found CRYPTEAR.B being distributed in campaigns between September and December from a hacked website in Paraguay, with a ransom demand of about £350 in bitcoin.

The discoveries suggest an emerging trend of ‘cheap and nasty' ransomware, pulled together from publicly available code that can be rapidly adopted by cyber-criminals.

Abrams said: “The malware developers who operate more notorious ransomware programs like CryptoWall, TeslaCrypt and CTB-Locker obviously have a lot of technical knowledge. Those using the eda2 kit appear to be of a much lower-level skillset, because eda2 contains everything a would-be criminal needs to create their very own ransomware.”

Another headache with such ransomware is that their command-and-control (C2) servers are hosted on free website services, he said. “This means the servers can easily be taken down, but it also means that the free web hosting provider may delete the decryption key databases – and then the victims lose the ability to retrieve their keys.”

Abrams confirmed Magic's C2 server has been removed by the hosting company, adding: “I have reached out to them to see if we can get a copy of the database so that a decrypter could be built for those affected.”

Commenting on the latest malware, UK cyber-security expert Sarb Sembhi, CTO and acting CISO at the Noord Group, told via email: “There is a debate as to the usefulness of open-source ransomware available for ‘educational' purposes. On the one hand those new to security research need to understand by example how such malware works. On the other hand making such tools available to all lowers the bar for those who would want to get into this criminal activity.”

Sembhi said the open code makes it easier for anti-malware companies to find and block the ransomware, but warned: “In the same way that the original was created for educational purposes, this ransomware too may have been created as a trial for something more scary in the future. It's not this version that we need to worry about, but any future versions that the learning from this one may be developed. This is probably more likely.”

Lawrence Abrams said: “There is nothing educational about open-source ransomware.”

In its blog, Trend Micro agreed: “The security industry should be very careful when releasing information that could be used by threat actors. Even if the intentions of security researchers or vendors are to educate the public, they need to carefully assess the risks prior to the release of possibly harmful information.”

Martin Roesler, Trend Micro senior director for research, added: “We need to teach our kids physics, but not how to build an atomic bomb. We need to have knives in our kitchens, but not samurai swords. We need to share knowledge that creates understanding about potential damage, but not the ability to create it.”  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.