Open Source Based New Ransomware Spotted

By | January 26, 2016

Malware Attack

Recent days Ransomware has become a highly rewarding business for cybercriminals, Now they are taking interested in building their own malware. For this they are adopting open-source code and Malwares.

One more ransomware is spotted by security researchers. Magic ransomware based on open-source code has been spotted in the wild recently, they encrypt user files and ads a “.magic” extension to them.

To perform this activity they are using one open-source based malware named as eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.

Earlier to this month, Trend Micro discovered another ransomware called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.

Working criteria for Magic ransomware

They encrypts your data using AES encryption, adds the .magic extension to encrypted files, and then demands 1 bitcoin to get the data back. This ransomware is created in C# and when decompiled quickly become apparent that it is almost an exact copy of the open-source ransomware called eda2.  The eda2 ransomware, along with the Hidden Tear ransomware, was publicly published by someone who claims they did it for educational purposes. Whether that be the case or not, the code is actively being used by malware developers and causing major problems for those who are affected.

The installer for this ransomware is an executable called magic.exe that once installed will request a RSA public key from the Command & Control server and use that key to encrypt the AES key used to encrypt the files on the victim’s computer.  This encrypted AES key is then sent back to the Command & Control server where it is stored. When encrypting the computer it will scan all drives on the infected computer for files that match certain file extensions.  When it detects a matching file it will encrypt the file using AES encryption and append the .magic extension to it. While encrypting, the Magic Ransomware will not encrypt any files located in directories that contain the string $,C:\Windows, or c:\program.

According to a blog post, Magic malware appears to be the work of low-skilled hackers. The kit of Magic ransomware’s malware includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.

It is currently unknown how the ransomware is being distributed, but there have been reports that user’s come back to the computer to suddenly find that their data has been encrypted. Therefore, it is possible that the developer was distributing it manually through hacked terminal services or remote desktop.

Subscribe for latest security updates