On a daily basis, SpearTip is constantly monitoring proprietary and open source intelligence feeds for the latest cyber security threat intelligence. This week, SpearTip came across a post by @fuscator indicating a new Hidden Tear ransomware variant being distributed in the wild for our team to review and react to.

We took this information and obtained a sample of the malware for our own analysis. Our analysis indicates this example of Hidden Tear is being distributed through COVID-19 themed email attachments.  While the Hidden Tear variant isn’t brand new, the developers behind this most recent example are getting on-board with other Threat Actors by exploiting COVID-19 fears to their advantage. The most troubling aspect of this Hidden Tear sample is the malicious payload isn’t being detected by a number of security tool vendors. This evasiveness is once again highlighting the need for a reliable EDR agent within corporate networks that can detect and block unknown threats and also point out the shortcomings of signature based detection tools.

Hidden Tear was first spotted in the wild in August 2015. What makes the Hidden Tear family unique is the fact that it was the first modifiable, open source ransomware kit and can be easily found online. The creators claim it was released for “educational purposes” and posted a legal warning on the site, but clearly people are not taking this advice.

The sample obtained by SpearTip appended files with the file extension .klavins as seen below:

Indicators of Compromise

File: software-launcher.exe

MD5: 900c456cbcd61ed2bf91378112e93eb0

SHA-1: c227ca088a4f80729b83396cafa0152d9778254e

Contacted Domain: hxxps://enfiniql2buev6o.m.pipedream.net

Contacted IP Address: 54.146.242[.]158

Another unique aspect to Hidden Tear is there’s a free program called HiddenTearDecrypter that claims to decrypt files without the need for paying the ransom. In SpearTip’s experience, free decryptors are usually not an option for most ransomware variants and shouldn’t be solely relied upon. Instead, organizations should focus on having a reliable back-up plan, storing back-ups offline, maintaining a robust user awareness program, and ensuring an EDR agent is installed on all corporate workstations and servers. Threat Actors operate on a 24/7 basis and so should your internal security team.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but are also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.