Hidden Tear

Hidden Tear targets Windows OS and is the first open-source, modifiable ransomware kit. It uses AES encryption and claims to be undetectable by antivirus software. Its developers advertise its release as being “only for educational purposes” but one hacking group has already been discovered using a modified version of the ransomware to infect victims. Files encrypted by Hidden Tear will gain a .locked file name extension.

UPDATE 11/7/2016: A new Hidden Tear variant was discovered impersonating Cerber. It appends .cerber to the names of encrypted files and produces a ransom note named HOW_TO_RESTORE_YOUR_DATA.html.

UPDATE 1/5/2017: A new version called Depsex or MafiaWare appends .Locked-by-Mafia to encrypted files and drops a ransom note named READ_ME.txt.

UPDATE 2/26/2017: A new variant appends .BarRax to file names.

UPDATE 3/22/2017: A new version appends .AngleWare to encrypted file names.

UPDATE 4/14/2017: A new version, dubbed Black-Rose, randomly chooses one of four extensions to append to encrypted file names: .ranranranran, .okokokokok, .loveyouisreal, .whatthef*ck. It drops a ransom note named READ_IT_FOR_GET_YOUR_FILE.txt.

UPDATE 5/2/2017: A new version connects to Tor and appends .Lockify to encrypted file names.

UPDATE 8/6/2017: A new version, dubbed Balbaz, appends .WAmarlocked to the names of encrypted files and drops a ransom note named READ_IT.txt.

UPDATE 10/20/2017: A new version, dubbed Ordinal, appends .Ordinal to the names of encrypted files and drops a ransom note named READ Me To Get Your Files Back.txt.

  • The Register provides more information about Hidden Tear, found here.
  • Avast provides a free decryption tool for Hidden Tear here.

One example of the Hidden Tear variant. Image Source: The Register