‘Magic’ Ransomware Is Based On Open-Source Code

A new ransomware based on open-source code has been spotted in the wild and it encrypts user files and ads ‘.magic’ extension to them, researchers warn.

Dubbed "Magic, the malware is based on open-source ransomware called eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.

Ransomware has become a highly rewarding business for cyber-criminals, with some interested in building their own malware.

Adopting open-source ransomware is a fast way to do that, and the Magic ransomware is proof that perpetrators would do whatever it takes to achieve their nefarious goals.

Magic is the second ransomware discovered this month to have been built upon ransomware created for educational purposes. Recently, Trend Micro discovered that a newly created threat called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.

Hidden Tear code was used in other malware as well, including Linux.Encoder, which was discovered back in November to pack an encryption flaw that allowed researchers to crack its encryption algorithm.

Recently, Utku Sen said that he managed to break the encryption of Cryptear.B because he intentionally weakened the encryption in Hidden Tear fearing that cybercriminals might abuse it.

Based on the eda2 ransomware kit, the newly discovered Magic malware appears to be the work of low-skilled hackers, Bleeping Computer’s Lawrence Abrams explains in a blog post.

However, the kit includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.

Researchers haven’t yet established how Magic is being distributed, but assume manual distribution via hacked terminals services or remote desktop.

The ransomware stores the AES keys used to encrypt files on the C2 servers, but also uses an RSA public key to encrypt them before sending them to the server.

Because the actors using the Magic ransomware are not advanced enough, they use C2 servers hosted on free web sites services, which means that they can be easily taken down.

However, there’s a risk that the free web hosting provider may delete the decryption key databases before security researchers could access them, meaning that victims lose the ability to retrieve their keys.

The ransomware is capable of encrypting a wide array of file extensions and appends the .magic extension to any encrypted file, but it won’t encrypt files located in directories that contain the string $, C:\Windows, or c:\program. After completing the encryption process, it creates the deleteMyProgram.bat batch file and execute it, an operation that uses vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.

The ransomware also places ransom notes on the desktop, providing victims with information on what has happened and on what they need to do to decrypt their files.

The actors behind the ransomware use a static bitcoin payment address, which has had no payments sent to it as of yet.

Security Week:     Ransom Worm: The Next Level Of Cybersecurity:    Europol Warning: Crypto-Ransomware Threat:

 

« Drone Warriors Of The US Air Force
2017: Cybersecurity At A Turning Point »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Linklaters LLP

Linklaters LLP

Linklaters is an international law firm. Practice areas include Information Management and Data Protection.

Cysec Resource Co (CRC)

Cysec Resource Co (CRC)

We offer expertise in information and cyber security, sourcing individuals and teams who provide information security expertise to the public and private sector.

Secure360

Secure360

Secure360 focuses on the following key areas: governance, risk and compliance, information security, physical security, business continuity management, and professional development.

MailGuard

MailGuard

MailGuard delivers a full suite of security solutions across email and web to protect your business before threats reach your environment.

Guardea

Guardea

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Herbert Smith Freehills

Herbert Smith Freehills

Herbert Smith Freehills is a leading professional services business offering legal services in specialist areas including cyber security.

Sothis

Sothis

Sothis is an information technology services company offering a range of solutions including cybersecurity, managed security services, information governance and compliance.

Digi International

Digi International

Digi is a leading global provider of mission-critical and business-critical machine-to-machine (M2M) and Internet of Things (IoT) connectivity products and services.

Prolimax

Prolimax

Prolimax deliver innovative solutions to IT Manufacturers, Distributors, Resellers and End-users including Data Erasure and secure IT Asset Disposition (ITAD)

Nico Group

Nico Group

NicoGroup Data Recovery is a leader in digital forensics and data recovery in Northern Ireland. Services also include GDPR Compliant Data Destruction for hard drives and tapes

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

DECODE

DECODE

DECODE is the premier cyber security conference in the Philippines hosted by Trend Micro.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

SafePaas

SafePaas

SafePaas is a leading Enterprise Risk Management Platform. One source of truth for all your Audit, Risk, and Compliance requirements. Complete governance across your systems.