Open-Source Ransomware Abused For the Second Time In Real-Life Infections (softpedia.com) 100
An anonymous reader writes: After the Hidden Tear (open-source) ransomware code was used to create the Cryptear.B ransomware, now the EDA2 open-source project was used in the same way to create the Magic ransomware. Both projects were created by the same guy. While he left an encryption flaw for Hidden Tear, he didn't for EDA2, relying on a backdoor in the ransomware's admin panel, which he planned to use to steal the encryption keys from the ransomware authors, if they ever used his tool. Unfortunately, the ransomware's C&C servers were on a free hosting service, and someone reported the account. All the data has been deleted from the servers, there's no backup, the backdoor account is useless, and victims have no way of recovering their files.
Victims should sue (Score:5, Insightful)
The hosting provider who delete the files for damages.
Unfortunately, the ransomware's C&C servers were on a free hosting service, and someone reported the account. All the data has been deleted from the servers, there's no backup, the backdoor account is useless, and victims have no way of recovering their files.
If it was reported to them, then the provider KNEW or should have known their servers were holding a criminal's data, including possibly encryption/decryption keys and stolen assets in relation to ransomware, which the providers' services had aided.
At that point, the hosting provider became duty bound to without fail take steps to preserve evidence of the criminal activity, for inspection by authorities.
Complete deletion was an act of negligence, and if they aren't criminally tried, the provider should at least be compensating victims for their loss that was a result of not being able to obtain ransomware decryption keys which the provider destroyed.
Re: Victims should sue (Score:4, Interesting)
Duty bound? What duty is that? The victims have no contract with the provider. Sure, it would be nice if the provider happened to recognize this as a ransomware control server, and saved the data. But duty bound? That's a fantasy. The victims are victims of the perpetrator, nobody else.
Re: (Score:1)
If you reasonably should have known there world be a criminal investigation and you destroy evidence, it's illegal. That certainly seems to be the case here.
Re: (Score:1)
Wow, lighten up francis. You're not a prosecutor. You're a commentator on a blog.
Get off your high horse.
Re: (Score:2)
And you're an anonymous commenter on a blog. Get off that hobby horse, runt.
Re: (Score:2)
And what if the free hosting site was based in some country that is not beholden to US laws?
Re: (Score:3)
there's no such country! just ask MPAA/RIAA
Well all that is why you aren't a prosecutor (Score:3)
Because if you'd graduated law school, or just taken a few classes for that matter, you'd know enough to be able to look in to relevant laws and see why your list is a crock that wouldn't hold up.
Didn't stop the Aaron Swartz prosecutors... (Score:2)
Because if you'd graduated law school, or just taken a few classes for that matter, you'd know enough to be able to look in to relevant laws and see why your list is a crock that wouldn't hold up.
Didn't stop the Aaron Swartz prosecutors... did it?
The point is to engage in malicious prosecution when some asshole intentionally destroys information that could have recovered people's data.
In point of fact, you don't really want it to hold up; you want to settle for a fine, the amount to be determined by whether they actually destroyed the data, or just are saying they destroyed the data because it would be a royal pain in the ass for them to recover it. The difference in the fine should reflect *how mu
Re: (Score:2)
Aaron Swartz was a pretty unusual case. He illegally hid his download server in an MIT wiring closet, he kept overwhelming MIT's connections to JSTOR and causing JSTOR to flake out, dealing considerable and much more measurable damage to thousands of people's work,
That was arguably a problem. Like the original Morris worm, having a bug in the code making it go runaway to the point of a denial of service is problematic; would you feel that it was still a problem if the approach did not have this bug?
Given that this was arguably an analogous bug, with similar impact, and the Morris penalty was 3 years of probation, 400 hours of community service, and a $10,500 fine ... would you have been seeking the same penalty against Swartz, instead of the absurd penalty they were
Re: Victims should sue (Score:2)
Re: (Score:2)
tlambert: I can certainly see why you're not a prosecutor.
Yes, me too.
Activist prosecutors do not last long, when they try to make points regarding social parity between how the legal system treats companies vs. how the legal system treats people who make political statements regarding publicly funded research.
Here's hoping that that hosting service was the one backing the ransomware that just cost three banks in India millions of dollars...
http://yro.slashdot.org/story/... [slashdot.org]
Re: (Score:1)
LOL Umm... I think you might be mistaking why it is he sees that you're not a prosecutor. I'd suggest that you take some time to actually study law before opining on matters of law IF you want to be taken seriously. Or, well, just keep doing what you're doing and expecting the results to be different... It's entirely up to you but I'd seriously recommend some formal study if possible or some informal study (via auditing courses or reading the course material and studying that) if you're actually interested
Re: (Score:2)
The example for your tirade is the big assumption that you made which is, I'm pretty certain, false - they are not necessarily duty bound, and I suspect you lack the information (and material assets to gain that information easily) to make such determinations.
I was explicitly glib about their duty being to cover their own asses. I implied no other duty.
Then I listed a number of legal theories under which their asses were not covered, including legal liabilities under the computer fraud and abuse act.
I'll provide detail, but we should start with the fact that the data that was destroyed did not belong to the perpetrators of the ransomware, and neither did it belong to the hosting company: it belonged to those being ransomed. There is a vicarious responsibility
Re: (Score:2)
Duty bound? What duty is that? The victims have no contract with the provider.
The duty is a duty to the public (including victims) to abide the law by not destroying evidence.
It is not a contractual duty. It is more like the duty involved, where you are a school worker and you routinely open a student's locker to find illegal drugs --- just emptying their locker out into the garbage incinerator is a crime of disposing of the evidence.
Re: Victims should sue (Score:4, Insightful)
Re: (Score:2)
Neither the dope in the locker nor the data are a clear and present danger.
Re: (Score:2)
A third party that destroys evidence as a side effect of securing the safety of themselves or their property commits no crime, because their intent is not to destroy evidence, but to regain their own security.
It depends on whether the safety we are referencing is "the safety of their property" or "the safety of themselves with regard to prosecution". If the latter, then all destruction of evidence would not be criminal. 8^)
The points to consider are:
(1) Was deleting the data necessary, or would it have been sufficient to off-line but retain it for a period, as their web site states that do for delinquent accounts?
The clear answer is that deletion was not necessary; data stored in off-line storage does not activ
Re: (Score:2)
The provider has no requirement to investigate abusive traffic for criminal activity. Zero. None. zilch. That is the job of prosecutors. So all your arguments are nullified.
Then at best, by operating said site, they have constructed a public nuisance.
Re: (Score:2)
At worst, they are an accessory before the fact.
Re: (Score:2)
Also not their problem, they should simply hand over all the evidence to law enforcement.
Re: (Score:1)
Also not their problem, they should simply hand over all the evidence to law enforcement.
Since law enforcement isn't even involved yet, and we don't know how far this infection has spread, I guess you demand shutting down teh Intertoobz, right? Wait for law enforcement, that might never even be involved.
It's a little strange. Slashdotters seem to want the server owner strung up shot, burnt, buried, and then exhumed and do it all over again.
Haven't heard a thing about the asshat that seemed to think that creating a monster and introducing it to the wild, and thinking it was for "educational
Re: (Score:2)
And a fsckin security researcher to boot. I don't get it - What kind of secure world does he live in where you publish - and therefore do the legwork - for the very people you are supposed to be securing against?
Maybe the various AV companies can sue him for infringement of their methods patent on this.
Re: (Score:2)
You're missing the point. On this site the majority of people will tell you it's not the Aaron Schwartz's of the world (see above), or the hackers or the people who create the ransomware that are in the wrong. Nope, it's everyone else who should be held accountable for something they did or did not do.
See the previous article talking about a law saying IT people are now required to report instances of child porn they find on someone's machine. The litany of people defending the pedophiles, saying IT people
Re: (Score:2)
Complete deletion was an act of negligence, and if they aren't criminally tried, the provider should at least be compensating victims for their loss that was a result of not being able to obtain ransomware decryption keys which the provider destroyed.
FTFA - "Creator of both projects is Turkish security researcher Utku Sen, who says that both his projects, Hidden Tear and EDA2, were published only for educational purposes.
Yeah. Create a monster, release it into the wild, the obvious thing happens, and it's all the fault of the server owner panicking.
Re: (Score:2)
Sue the hosting provider? Seriously?
Hosting provider gets notified that a client is using his account for criminal purposes. That is a violation of terms, so they ditch the client. "Criminal purposes" can be anything, so; Delete the files, could be warez or even child porn in there. The account might even be involved in an ongoing attack, so they had better get rid of it NOW.
Do you have a hosting provider?
What's your account there?
You're not willing to post that information on Slashdot, because you'd have to be insane?
*NOW* do you see the problem with a "delete all the data when a report comes in"?
Better to treat it as a DMCA takedown notice, and throw it into dispute resolution, in case this is the electronic equivalent of SWATting...
Throw the fucker in jail ... (Score:4, Interesting)
Re: (Score:2)
Who?
The guy who wrote the Open Source software with a back door and good intentions?
The guy who used it nefariously?
The guy who reported it?
The guy at the hosting provider who killed the C&C server?
Am I missing something here? (Score:2, Interesting)
I ask this in good faith -- why is there open source ransomware? I have no problem with uploading encrypted data for backups and security purposes. I have no problem with such tools being open sourced. But ransomware is, by definition, used for extortion. Isn't the mere existence of open source ransomware (or any other ransomware) an abuse?
As for the hosting provider, they should be liable for civil and criminal damages. Victims whose files are unrecoverable because the account was deleted rather than locke
Re: (Score:2)
I ask this in good faith -- why is there open source ransomware?
The short answer is that some people have bad values. If you want to dive deeper you could consider the OpenBSD licensing philosophy [openbsd.org] as a proxy for the Open Source or Free Software movement. The software and its code become an end in itself, What is "good" is defined in terms of working code that complies with the license. The ultimate purpose of the code is practically irrelevant. From time to time there are controversies that arise in regard to some proposed change in the license of some software. I
Re: (Score:3)
On the other hand, this guy was a moron for publishing this stuff. The moment you put something like that out where anyone can get there hands on it, it's too late to stop scum from grabbing it. You'd think after the first time he'd realize that. At this point, I wonder if it was intentional on his part.
Does this mean that we should rejoice? (Score:2, Insightful)
Is it a cause for rejoicing that when we've been hit with a ransomware attack that the attacker is an ethical one that will promptly restore things when we pay the ransom? You know, an attacker that has a fiduciary responsibility to act promptly when we submit to his demands. Does this mean we should deal with only the reputable extortionists?
Re: (Score:1)
Actually, yes you should only pay the ethical attacker. It will teach the unethical hacker that his profits are extremely limited when word gets out that paying doesn't fix the problem.
Of course in an ideal world you wouldn't have to pay any hacker. But there are times you might not have that choice.
Re: (Score:1)
Re: (Score:2)
That is not always possible for everyone. It really is that simple. Sometimes the loss is too valuable. Yes, you should not pay ever in an ideal world. The world isn't always ideal though.
Re: (Score:2)
If you pay an anonymous extortionist money to no longer extort you, is there any reason to believe he'll stop extorting you?
Suitable punishment? (Score:2)
IIRC the last person flogged in the US as sentenced by a court was in the 1950s. It may be time to rethink that for some offenses.
Re: (Score:2)
I've often had that same thought. The trolls would be first (the really nasty ones, I don't mean the app appers dude - that would be silly :-). Then crackers, spammers, and crapware purveyors. "And while I'm dreaming, I'd like a pony..."
Re: (Score:2)
IIRC the last person flogged in the US as sentenced by a court was in the 1950s. It may be time to rethink that for some offenses.
Maybe it's time to reduce corruption and inequity in our government, because they teach people to engage in corruption and to create more inequity in society.
Re: no way of recovering their files? (Score:1)
It is, the encryption used is not home made, it's industry standard AES.
Those guys - (Score:2)
don't they have anything better to do with their lifes than cxreating those crappy situations for others? Petty callus character to host and live with I'd say.
open-source ransomware code? (Score:1)