Project Eda2 is Abandoned Due to Magic Ransomware Incident

Today I received an e-mail which is about a ransomware incident. Victim told me that he’s suspecting the ransomware is modificated version of Eda2 . He sent me the ransomware sample and codes. I checked them to see the URL of the C&C server.

And their ransomware note is:

 

I got the URL. They was using a free hosting service. All I need to do was getting the private key from database by using my backdoor. But there was a problem. Their hosting was suspended.

Ekran Resmi 2016-01-24 00.02.32

 

I contacted with the hosting provider if they still have some backups. They told me that files and database has been deleted. Also backups are shredded.

As I explained before, Hidden Tear recovery doesn’t effected by criminal’s mistakes. But in Eda2 it’s different. Program has no known security flaws. Only the control script has some vulnerabilities to access the database.

I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof. I might had implement a backdoor which copies the database to another server in case of account suspension etc. Now, even criminals can’t recover the datas. Last week I mocked the Trendmicro guys for using “impossible to recover” sentence but now I’m facing it.

I removed all the files and commits of Eda2 project. Since nobody is discovered the backdoor of Eda2, I won’t reveal it right now. Because we may deal with new Eda2 implementations in future.

I’m sorry, I failed this time.

More details about magic ransomware: http://www.bleepingcomputer.com/news/security/new-magic-ransomware-developed-from-open-source-eda2-ransomware/

Follow up storyhttp://news.softpedia.com/news/eda2-open-source-ransomware-code-used-in-real-life-attacks-499330.shtml