Ransomware – When Hackers Are The Good Guys

It isn’t every day that a developer of malware can be called noble, or good, or even remotely helpful. Breaking into the security world today is an altogether different story though. In a show of altruism, a variant of ransomware has been discovered by anti-virus firm AVG that seems to be an educational exercise.

Ransomware is notorious for blackmail; victims that accidentally downloaded the malware found their valuable files, images and documents encrypted and locked with a key that was unobtainable unless a ransom was paid – and even then the potential of the key being given was unlikely at best. The new discovery, given the nickname EduCrypt, does exactly what previous forms of ransomware are known for – locking files in documents, downloads, desktop, pictures, music and videos and rendering them inaccessible. That point is where the similarities seem to end.

A text file becomes available to the user entitled ‘README’ and, upon access, reveals a message that states the following:

well hello there, seems you have a virus!,
well you are going to get the decryptor which is here 
http://www.filedropper.com/decrypter_1 Don’t Download Random S*** On The Internet A Hidden .txt File Has Been
Created With The Decrypt Password! Find It!

This time, it seems, that the ransomware is intended to educate rather than destroy or gain the hacker any blackmail money. Of course, it needs to be noted that creating malware, with good intentions or otherwise, remains an illegal activity – falling under section 4 of the Computer Misuse Act 1990 in the United Kingdom.

The discussion surrounding this topic is likely to focus on the topic of ‘good’ malware in the short term future. Spreadable programs such as Worms and Viruses have been spoken about as a good way to combat malicious software, acting as a sort of digital antibody designed to eliminate the presence of malware that potentially sits undiscovered on a victim’s machine. Alternative reasons could be the creation of software used to spread maintenance tasks across a network such as compressing, flushing of caches or defragmenting the hard drives.

One of the most famous ‘greater good’ pieces of malware was the ‘VBS.Noped.A@mm’ virus, which was known for downloading via an email and searching for indecent images of children. If any are found, it emailed a member of a government institution and explained the discovery. In a paper delivered at the 1994 EICAR conference, Vesselin Bontchev discussed the topic; ‘Are Computer Viruses Still a Bad Idea?’, and is well worth a read if the idea is of interest (ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/goodvir.zip).

Despite not being the correct and legal method of education, the malware’s creator does carry good advice, and the advice has been around for as long as malware in general. Ensuring that the files you are downloading are secure; being especially careful with known carriers such as torrents and peer-to-peer downloads.

For those seeking help, the universal decryption password is HDJ7D-HF54D-8DN7D, and is held in a ‘Decrypt Password’ file in the user’s Documents.