{"id":388,"date":"2016-03-09T12:11:25","date_gmt":"2016-03-09T12:11:25","guid":{"rendered":"https:\/\/myspybot.com\/?p=388"},"modified":"2025-11-30T11:35:01","modified_gmt":"2025-11-30T11:35:01","slug":"hidden-tear","status":"publish","type":"post","link":"https:\/\/myspybot.com\/hidden-tear\/","title":{"rendered":"Hidden Tear: Is open-source ransomware really a good idea?"},"content":{"rendered":"<p>Over the past couple of years, security experts have gotten accustomed to dealing with ransomware breeds that pursue solely malicious goals. These are intrinsically profit-oriented pieces of code that circulate covertly, encrypt their victims\u2019 files and demand a fee to make the badly mutilated data accessible again.<\/p>\n<p>Utku Sen, a researcher and security enthusiast from Turkey, ventured to turn this state of affairs upside down. He came up with two unique proofs-of-concept called the Hidden Tear and Eda2 back in August 2015. Both were fully functional crypto malware samples, which the author claims to have created as exclusively educational projects so that other analysts could see how these infections actually operate.<\/p>\n<p>The programmer never concealed the acknowledgement that his source code could also be used by individuals and groups seeking easy profit. This turned out to be a correct prediction. Different cyber rings ended up producing as many as 24 builds of ransomware based on Sen\u2019s projects during a five-month time span. The reasons are obvious: the crooks needn\u2019t invest in development of their own and they don\u2019t have to pay the affiliate fee in the increasingly popular \u201cRansomware as a Service\u201d models.<\/p>\n<figure id=\"attachment_390\" aria-describedby=\"caption-attachment-390\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project.png\" alt=\"Hidden Tear project shut down as a result of abuse incidents\" title=\"Hidden Tear project shut down as a result of abuse incidents\" width=\"800\" height=\"440\" class=\"size-full wp-image-390\" srcset=\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project.png 800w, https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project-300x165.png 300w, https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project-768x422.png 768w, https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-project-620x341.png 620w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><figcaption id=\"caption-attachment-390\" class=\"wp-caption-text\">Hidden Tear project shut down as a result of abuse incidents<\/figcaption><\/figure>\n<p>Fortunately, the original variant of Hidden Tear had a built-in backdoor that would allow security researchers to derive all the necessary file decryption details from the timestamps of locked files in the worst-case scenario. For Eda2, Utku Sen added a vulnerability aimed at providing access to the database of encryption keys.<\/p>\n<p>The open-source ransomware employs <a href=\"https:\/\/myspybot.com\/decrypt-locky-files\/\" target=\"_blank\" rel=\"noopener\">AES cipher<\/a> and only encodes files stored in \u201c<strong>\\test<\/strong>\u201d directory on the Desktop. Of course, the fraudsters modified this rule so that other personal files would be subject to the crypto attack as well. The dropper is 12 KB, which per se facilitates the Trojan propagation routine.<\/p>\n<p>The first infection developed with Hidden Tear source code was <strong>Linux.Encoder<\/strong>, which pioneered in the domain of Linux-specific ransomware. Then, <strong>Cryptear.B<\/strong> came on stage. Owing to the above-mentioned backdoor, these were cracked and the contaminated users were capable of restoring their frozen files. There was also <strong>KryptoLocker<\/strong>, which represents the so-called <strong>Trojan-Ransom.MSIL.Tear<\/strong> cluster also consisting of multiple similar samples. These were awfully unprofessionally implemented for the most part \u2013 some didn\u2019t even store the decryption keys in any way.<\/p>\n<p>The most infamous derivative, though, was the <strong>Magic Ransomware<\/strong> built with Eda2. Its operators defiantly blackmailed Utku Sen into closing down both of his open-source projects, otherwise they threatened to erase all the recovery keys and thus make the victims irreversibly lose their data. While the crims\u2019 motivations for acting like this are unknown, they did achieve their goal \u2013 Hidden Tear and Eda2 aren\u2019t publicly available anymore.<\/p>\n<p>This educational initiative, obviously, didn\u2019t end well. A lot of infected people paid ransoms. Some will never get their sensitive files back. It turns out that the aphorism that says, \u201cThe road to hell is paved with good intensions\u201d may apply to the cybersecurity realm as well.<\/p>\n<div class=\"bdaia-separator se-dotted\" style=\"margin-top:15px !important;margin-bottom:80px !important;\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Over the past couple of years, security experts have gotten accustomed to dealing with ransomware breeds that pursue solely malicious goals. These are intrinsically profit-oriented pieces of code that circulate covertly, encrypt their victims\u2019 files and demand a fee to make the badly mutilated data accessible again. Utku Sen, a researcher and security enthusiast from \u2026<\/p>\n","protected":false},"author":1,"featured_media":5482,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_stopmodifiedupdate":false,"_modified_date":"","rating_form_position":"","rating_results_position":"","mr_structured_data_type":"","footnotes":""},"categories":[21],"tags":[],"acf":{"campaignid":"no","virusname":"","virusname0":"","virusname1":"","virusname2":"","virusname3":"","virusname4":"","virusname5":"","virustype":"","virustype0":"","virustype1":"","virustype2":"","virustype3":"","virustype4":"","virustype5":"","device":"","softtype":"","methods-to-restore-title":"","manual-removal-title":"","resetting-browsers-title":"","automatic-removal-title":"","faq":"","evolution":"","final-check-title":"","remove-from-chrome-title":"","remove-from-firefox-title":"","remove-from-explorer-title":"","remove-from-android-title":"","remove-using-cmd-title":"","remove-using-controlpanel-title":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hidden Tear: Is open-source ransomware really a good idea? - MySpyBot<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/myspybot.com\/hidden-tear\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hidden Tear: Is open-source ransomware really a good idea? - MySpyBot\" \/>\n<meta property=\"og:description\" content=\"Over the past couple of years, security experts have gotten accustomed to dealing with ransomware breeds that pursue solely malicious goals. These are intrinsically profit-oriented pieces of code that circulate covertly, encrypt their victims\u2019 files and demand a fee to make the badly mutilated data accessible again. Utku Sen, a researcher and security enthusiast from \u2026\" \/>\n<meta property=\"og:url\" content=\"https:\/\/myspybot.com\/hidden-tear\/\" \/>\n<meta property=\"og:site_name\" content=\"MySpyBot\" \/>\n<meta property=\"article:published_time\" content=\"2016-03-09T12:11:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-30T11:35:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"850\" \/>\n\t<meta property=\"og:image:height\" content=\"491\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Will Wisser\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Will Wisser\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hidden Tear: Is open-source ransomware really a good idea? - MySpyBot","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/myspybot.com\/hidden-tear\/","og_locale":"en_US","og_type":"article","og_title":"Hidden Tear: Is open-source ransomware really a good idea? - MySpyBot","og_description":"Over the past couple of years, security experts have gotten accustomed to dealing with ransomware breeds that pursue solely malicious goals. These are intrinsically profit-oriented pieces of code that circulate covertly, encrypt their victims\u2019 files and demand a fee to make the badly mutilated data accessible again. Utku Sen, a researcher and security enthusiast from \u2026","og_url":"https:\/\/myspybot.com\/hidden-tear\/","og_site_name":"MySpyBot","article_published_time":"2016-03-09T12:11:25+00:00","article_modified_time":"2025-11-30T11:35:01+00:00","og_image":[{"width":850,"height":491,"url":"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/03\/hidden-tear-1.png","type":"image\/png"}],"author":"Will Wisser","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Will Wisser","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/myspybot.com\/hidden-tear\/","url":"https:\/\/myspybot.com\/hidden-tear\/","name":"Hidden Tear: Is open-source ransomware really a good idea? - MySpyBot","isPartOf":{"@id":"https:\/\/myspybot.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/myspybot.com\/hidden-tear\/#primaryimage"},"image":{"@id":"https:\/\/myspybot.com\/hidden-tear\/#primaryimage"},"thumbnailUrl":"https:\/\/myspybot.com\/wp-content\/uploads\/2025\/11\/hidden-tear-hidden-tear-featured.png","datePublished":"2016-03-09T12:11:25+00:00","dateModified":"2025-11-30T11:35:01+00:00","author":{"@id":"https:\/\/myspybot.com\/#\/schema\/person\/f9391b7edcfb6793e7f51d87eeac082b"},"breadcrumb":{"@id":"https:\/\/myspybot.com\/hidden-tear\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/myspybot.com\/hidden-tear\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/myspybot.com\/hidden-tear\/#primaryimage","url":"https:\/\/myspybot.com\/wp-content\/uploads\/2025\/11\/hidden-tear-hidden-tear-featured.png","contentUrl":"https:\/\/myspybot.com\/wp-content\/uploads\/2025\/11\/hidden-tear-hidden-tear-featured.png","width":850,"height":491,"caption":"Hidden Tear: Is open-source ransomware really a good idea?"},{"@type":"BreadcrumbList","@id":"https:\/\/myspybot.com\/hidden-tear\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/myspybot.com\/"},{"@type":"ListItem","position":2,"name":"Hidden Tear: Is open-source ransomware really a good idea?"}]},{"@type":"WebSite","@id":"https:\/\/myspybot.com\/#website","url":"https:\/\/myspybot.com\/","name":"MySpyBot","description":"Keep an eye on the important computer security stuff","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/myspybot.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/myspybot.com\/#\/schema\/person\/f9391b7edcfb6793e7f51d87eeac082b","name":"Will Wisser","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/myspybot.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6247ff0634fa21676b3387d535d23eb4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6247ff0634fa21676b3387d535d23eb4?s=96&d=mm&r=g","caption":"Will Wisser"}}]}},"multi-rating":{"mr_rating_results":[]},"_links":{"self":[{"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/posts\/388"}],"collection":[{"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":0,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/media\/5482"}],"wp:attachment":[{"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myspybot.com\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}