The developer of HildaCrypt has released the master decryption keys that would allow potential victims of the ransomware to recover their data for free.
On October 4, a security researcher who goes by the name “GrujaRS” posted about the discovery of a new variant of STOP, a well–known ransomware family.
New #Stop (Djvu) #Ransomware extension .mike!Ransom note;_readme.txt @BleepinComputer @demonslay335 @Amigo_A_ pic.twitter.com/PUrtps8YFQ
— Cyber Security (@GrujaRS) October 4, 2019
The developer of the threat saw GrujaRS’s post and contacted the researcher to inform them that their analysis was incorrect. They clarified that the ransomware was not a STOP variant but instead a sample of a new ransomware family called “HildaCrypt.” As part of this clarification, the developer decided to hand over the threat’s master decryption keys.
GrujaRS passed along those keys to Michael Gillespie, founder of ID Ransomware. Gillespie used the keys to create a decryption utility that all victims of HildaCrypt can now use to recover their affected files for free. That tool is available here.
In the meantime, the developer had a chat with Bleeping Computer about HildaCrypt. They told the computer self help site that they had created the ransomware mainly to satisfy their curiosity and that “it was mainly an educational thing really.” After stating that “hildacrypt never was used on anyone,” the developer said they’d probably stop working on the ransomware and instead start focusing their efforts on work within the digital security community.
This isn’t the first time that someone has created ransomware for educational purposes. Back in 2015, a Turkish programmer known as Utku Sen created a proof-of-concept (POC) for a crypto-malware family known as “Hidden Tear” and made the code public on their website. Sen said that they created Hidden Tear so that fellow programmers and security analysts could use it to research the workings of ransomware. But that didn’t stop bad actors from seizing Sen’s POC and using it to create variants like Yatron, a Hidden Tear-based threat that just received its own decryption utility in September.
Threat actors’ ongoing abuse of projects like Hidden Tear and HildaCrypt highlights the need for organizations to defend themselves against ransomware. First and foremost, organizations should take steps to prevent a ransomware infection outright. This resource contains some helpful tips.