Three new and real ransomware families have been spawned by the open-source CryptoWire ransomware project, which is uploaded as a “proof of concept” on GitHub.
The original of this “educational” ransomware project was uploaded on GitHub in May this year by an anonymous user. CryptoWire contains a ZIP archive with the ransomware`s course code and a README file, in which the ransomware`s author is advertising their product`s features and capabilities. The project is still available for download.
According to the README file, CryptoWire utilizes the AES-256 encryption algorithm, which will lock all files that are smaller than 30MB. The ransomware is written in the Autolt scripting language and is capable of encrypting data stored on network shares, network drives, external/internal disk, USB drives and cloud applications like Dropbox, Steam, Google Drive.
Moreover, the CryptoWire`s author claims that the ransomware makes copies of the targeted files, encrypts these copies, after which it overwrites the original files ten time and deletes them permanently. Once the file-locking process is complete, CryptoWire deletes the shadow volume copies, overwrites the RecycleBin`s content and deletes it as well. Before displaying the ransom note, the ransomware will check if the infected target is part of a domain and multiply the ransom demand by 10.
Even though CryptoWire’s author said that they uploaded the ransomware without a backend panel “to prevent skids from abusing it”, things didn’t go as planned. Two real-life CryptoWire spawns appeared which are infecting real users.
The first spawn was detected by GData malware analyst Karsten Hahn in the end of this past October. The ransomware was using the same CryptoWire name and was clearly not fully developed as one very important button for the decryption process was not in the interface.
A month later, in November, the security expert S!Ri came across the Lomix ransomware. And, the third spawn was detected just a couple of days ago again by Karsten Hahn. He discovered a CryptoWire variant, which is going by the name of UltraLocker and delivers malicious Word files via a spam campaign.
However, this type of “educational” open-source ransomware project is not the first one to go out of hand. Hidden Tear, EDA2, CryptoTrooper, and Heimdall ransomware families also appeared thanks to such “proof of concept” projects. What the authors of these projects don’t understand is that they are practically helping out crooks by doing their job and it is high time they stopped.