The EduCrypt Ransomware is a ransomware Trojan that, apart from encrypting the victim's file, will also attempt to 'educate' the victim. This is quite curious since the EduCrypt Ransomware could easily have been created as a way to educate computer users about ransomware. Apparently, the EduCrypt Ransomware will carry out all of the functions of a ransomware attack, encrypting the victim's files and delivering 'ransom' notes. However, unlike other ransomware Trojans, the EduCrypt Ransomware does not demand money. Instead, the EduCrypt Ransomware gives the victim the decryption key for free, as well as reprimands them for allowing the EduCrypt Ransomware to enter their computer and carry out the attack!
The Unwanted Education Provided by the EduCrypt Ransomware
The EduCrypt Ransomware is based on an open source ransomware known as Hidden Tear. The EduCrypt Ransomware seems to be obfuscated using Confuser. After deobfuscating this threat, it has been quite apparent that the EduCrypt Ransomware is a very basic version of the Hidden Tear ransomware that is designed to teach its victims a lesson. The EduCrypt Ransomware only encrypts a limited set of file paths and file extensions and does not communicate with an external server. The EduCrypt Ransomware will search for files located in the following paths:
The EduCrypt Ransomware encrypts files that match extensions contained in its configuration files. The EduCrypt Ransomware uses AES encryption with a static password. The EduCrypt Ransomware's password is HDJ7D-HF54D-8DN7D. Like most encryption ransomware threats, the EduCrypt Ransomware adds the extension 'ISIS' to the files it encrypts, identifying the files that have been compromised clearly. The files that will be encrypted by the EduCrypt Ransomware include:
.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg.
After carrying out its attack, the EduCrypt Ransomware drops a file named 'README.txt' on the victim's computer. This file has a link to a decryption utility and informs the victim of the attack. The EduCrypt Ransomware references a hidden file containing the decryption password which is stored at the following path:
As mentioned before, the password is the same for all 'victims' of the EduCrypt Ransomware and is HDJ7D-HF54D-8DN7D.
Assessing the Threat of Modern Ransomware – Are the EduCrypt Ransomware's Methods Legit?
The fact is that ransomware is on the rise. Encryption ransomware is among the most popular types of threat attacks used to infect computers around the world currently. Since these attacks encrypt the victim's files, it can be quite difficult to recover from an attack. With other threats, simply removing the threat from the computer will be the end of the attack. However, in the case of the EduCrypt Ransomware and real ransomware threats, the files will remain encrypted even after the threat itself has been removed. Fortunately, there are very simple measures that computer users can take to make these attacks completely ineffective. Unfortunately, most computer users are not prepared for it, allowing ransomware Trojans to propagate.
The best way to protect a computer from ransomware completely is to have backups of all files on an off-site location. If computer users can recover their files quickly, then ransomware attacks are completely ineffective. In fact, if backing up files becomes widespread, these attacks would disappear completely (or change into something completely new). In this regard, the fact that the EduCrypt Ransomware serves to make more people aware of the threat is a positive aspect. Computer users should prevent the threat infection from entering their computers in the first place. Since these threats may be distributed through email messages, using an anti-spam filter, anti-malware software, and avoiding unsolicited email attachments can prevent these and similar types of attacks.