A new ransomware (eduware?) called EduCrypt was discovered by AVG security researcher Jakub Kroustek that tries to teach its victims a lesson about ransomware. Like other encrypting malware, EduCrypt will encrypt a victim's files, but instead of demanding a ransom, it gives the victim the password for free along with a reprimand. 

Ransom Note

This ransomware is based off of the open source Hidden Tear ransomware and the sample was obfuscated using Confuser. Once I was able to deobfuscate the program, it was clear that it was a very stripped down version of the Hidden Tear ransomware that was designed purely to teach the victim a lesson. It has a limited set of folders that it encrypts, a small amount of targeted file extensions, and does not communicate with a Command & Control server.

When started, it will encrypt files located in the following folders:

%UserProfile%\Desktop
%UserProfile%\Downloads
%UserProfile%\Documents
%UserProfile%\Pictures
%UserProfile%\Music
%UserProfile%\Videos

When scanning these folders, it will encrypt files that match certain extensions using AES encryption with a static password of HDJ7D-HF54D-8DN7D. When a file is encrypted it will append the .isis extension to the filename. For example, the file test.jpg would be encrypted as test.jpg.isis.

The file extension encrypted by EduCrypt are:

.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg

When it is finished, it will create a note called README.txt on the victim's desktop. This note provides a link to a decryptor and information on what happened to the victim's files.  The hidden file that it references is located at %UserProfile%\Documents\DecryptPassword.txt and contains the password that can be used to decrypt your files.

Password File

As already stated, this password is HDJ7D-HF54D-8DN7D and is the same for everyone affected by this program.

Though EduCrypt provides a link to a Hidden Tear decryptor, I suggest users use the one created by Michael Gillespie as we know that it is trustworthy. This decryptor can be downloaded at the following URL: https://download.bleepingcomputer.com/demonslay335/hidden-tear-decrypter.zip.

Though I do not agree with the methods the developer used to try and teach victim's a lesson about being safe on the Internet, his statements are correct. Users need to be very careful these days about what they download and run from the Internet.  Malware is running rampant and users need to be extra vigilant or the consequences can be costly.