A new open-source ransomware project uploaded on GitHub as a "proof of concept," has now spawned three new ransomware families that are infecting users in real-life.

The original CryptoWire project was uploaded to GitHub by an anonymous user this past May.

The project, still available for download, contains a ZIP archive, with the ransomware's source code, and a README file advertising CryptoWire's capabilities.

Contents of the CryptoWire package
Contents of the CryptoWire package

According to its author, the ransomware is written in the AutoIt scripting language and locks files stored on network drives, network shares, USB drives, external disks, internal disks, and cloud storage apps running on the machine such as Onedrive, Dropbox, Google Drive, and Steam.

CryptoWire uses the AES-256 algorithm for the encryption operations, which will encrypt all files smaller than 30MB (adjustable limit). The README file might have been outdated, as the ransomware's source code included file extension filters (pictured below).

File extensions targeted by CryptoWire

The README claims the encryption process makes a copy of the targeted files, encrypts the copy, overwrites the original file ten times, and then permanently deletes its.

After the encryption process ends, CryptoWire will delete all shadow volume copies, and overwrite the content of the RecycleBin ten times and permanently delete it.

When displaying the ransom note, CryptoWire will check if the infected target is part of a domain and multiply the ransom demand by 10 (adjustable value).

CryptoWire's author said it shipped the ransomware without a backend panel "to prevent skids from abusing it." Unfortunately, skids abused it.

Real-life CryptoWire spawns

The first CryptoWire spawn was detected at the end of October by GData malware analyst Karsten Hahn, using the same name: CryptoWire.

This version appears to have been under development, as one crucial button for the decryption process was missing from its interface.

CryptoWire variant, October 2016
CryptoWire variant, October 2016

A month later, security researcher S!Ri discovered the Lomix ransomware, pictured below.

Lomix ransomware, November 2016
Lomix ransomware, November 2016

Today, the same Karsten Hahn has come across another CryptoWire variant that goes by the name of UltraLocker and spreads a spam campaign delivering malicious Word files.

UltraLocker ransomware, December 2016
UltraLocker ransomware, December 2016

The problem of open-source and so-called "educational" ransomware has been discussed in the past numerous times. Previous open-source ransomware families included Hidden Tear, EDA2, CryptoTrooper, and Heimdall.

In all cases, the authors of these projects have hidden from any responsibility and damage their code would have caused just by using words as "educational" and "proof of concept," not realizing that real-life malware coders don't care.

Most crooks look at open-source ransomware as free work, and hours of work they don't have to put in designing, documenting, and writing their own code. How about we stop giving crooks a helping hand, shall we?

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens