Ransomware has been infamously known to be nasty pieces of malware that takes a computer’s files hostage, and then demands a ransom, which can vary in cost. Countless variants have been discovered, which differ in how they are programmed, but all demand money in the end.
However, a new variant recently discovered called ‘EduCrypt’ encrypts a victim’s files, but instead of demanding a ransom, it actually provides the decryption key for free. Along the way, it teaches the victim a lesson about avoiding downloading sketchy items on the internet.
Discovered by Jakob Kroustek of AVG, the malware is based on the Hidden Tear ransomware. Unlike other ransomware variants, which encrypts a large number of file extensions, EduCrypt targets only a limited amount, and does not connect to a Command and Control (C&C) server. The list of files affected are:
.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg
It will lock up files found in the desktop, Downloads, Documents, Pictures, Music, and Videos folder. Once the ransomware finishes the encrypting process, it will append an extension of “.isis” on every file it touches.
A file called “README.txt” will be made available to the user. Inside the file, it will inform the user that their system is infected with a virus. Generously enough, it also provides a link to the decryptor, which the victim can download for free without paying any ransom. “Don’t download random **** on the Internet,” the Readme file states, hoping to teach the victim a lesson.