Today I received an e-mail which is about a ransomware incident. Victim told me that he’s suspecting the ransomware is modificated version of Eda2 . He sent me the ransomware sample and codes. I checked them to see the URL of the C&C server.
private string generatorUrl = "http://kano.freevar.com/lol/1.php";
private string keySaveUrl = "http://kano.freevar.com/lol/2.php";
And their ransomware note is:
StreamWriter streamWriter = new StreamWriter(this.path + "\\DECRYPT_ReadMe.TXT.ReadMe");
streamWriter.WriteLine("All your files encrypted with strong encryption.");
streamWriter.WriteLine("To unlock your files you must pay 1 bitcoin to address :");
streamWriter.WriteLine("You can search google for how to buy and send bitcoin in your country.");
streamWriter.WriteLine("After you send the bitcoin email to : ");
streamWriter.WriteLine("use all email to communicate ");
streamWriter.WriteLine("with the information of username and pcname and the time you send bitcoins.");
streamWriter.WriteLine("When we will confirme the transaction you will receive decryption key and decryption program.");
streamWriter.WriteLine("Price depend on the system.If you have a sql server or server based system send 2 bitcoin.");
streamWriter.WriteLine("If your network share or system encrypted with axx extensions email to discuss price to decrypt your system.");
I got the URL. They was using a free hosting service. All I need to do was getting the private key from database by using my backdoor. But there was a problem. Their hosting was suspended.
I contacted with the hosting provider if they still have some backups. They told me that files and database has been deleted. Also backups are shredded.
As I explained before, Hidden Tear recovery doesn’t effected by criminal’s mistakes. But in Eda2 it’s different. Program has no known security flaws. Only the control script has some vulnerabilities to access the database.
I realized my mistake at that moment. I left everything on criminal’s hands. It should have been mistake-proof. I might had implement a backdoor which copies the database to another server in case of account suspension etc. Now, even criminals can’t recover the datas. Last week I mocked the Trendmicro guys for using “impossible to recover” sentence but now I’m facing it.
I removed all the files and commits of Eda2 project. Since nobody is discovered the backdoor of Eda2, I won’t reveal it right now. Because we may deal with new Eda2 implementations in future.
I’m sorry, I failed this time.
More details about magic ransomware: http://www.bleepingcomputer.com/news/security/new-magic-ransomware-developed-from-open-source-eda2-ransomware/