Sharing ransomware code for educational purposes is asking for trouble
Trend Micro may still be smarting from the revelation that there was a serious vulnerability in its Password Manager tool, but today the security company warns of the dangers of sharing ransomware source code.
The company says that those who discover vulnerabilities need to think carefully about sharing details of their findings with the wider public as there is great potential for this information to be misused, even if it is released for educational purposes. It says that "even with the best intentions, improper disclosure of sensitive information can lead to complicated, and sometimes even troublesome scenarios".
The warning may seem like an exercise in stating the bleeding obvious, but it does serve as an important reminder of how the vulnerability disclosure process should work. When it comes to security holes in software, there is usually a 90 day disclosure period during which the discoverer will warn the company responsible for it, before then going public.
But the same cannot be said of malware such as ransomware. Unlike software vulnerabilities -- which can usually be fairly easily patched -- publicizing the inner workings of malware can have far-reaching consequences. While antivirus vendors can push out updates to offer protection against known variants, sharing the source code for ransomware greatly increases the chances that more examples of the malware will be created, making it harder to fight.
Writing on the TrendLabs Security Intelligence Blog, Trend Micro says that providing source code replete with warnings about how it should or should not be used is simply not good enough:
Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware. Our analysis showed that the website was compromised by a Brazilian hacker who used a modified Hidden Tear code.
The website has been compromised since Sept. 15 to Dec. 17 at the latest. It was compromised once again on December 18. The website redirects users to a fake Adobe Flash download website where they are prompted to download a new Flash player. Once the download is complete, the file will automatically run.
In this instance, the Hidden Tear ransomware in question had been shared on Github. Trend Micro recognizes the value in sharing information about how ransomware works with a view to building up protection, but says that this also opens up the possibility of exploitation by bad actors. Martin Roesler, Trend Micro Senior Director for Threat Research says:
We need to share knowledge that creates understanding about potential damage, but not the ability to create it. We need to share knowledge about 'who exploits work', but not 'how to make use of them'. We need to share knowledge 'how malware works', but sharing 'sample code' is not needed for that.
The advice is to share detailed information through secure channels, and only go public with vaguer information.