DHC, or DenisHatingClub, is reportedly a variant of Hidden Tear, an open-source ransomware built for educational purposes by Utku Sen that has been leveraged by threat actors since 2015. However, upon analysis of a sample of DHC, it is determined that it is more closely related to EDA2, another open-source ransomware variant created by Utku Sen. Both of these open-source ransomware tools have similar functionality, but EDA2 is a bit more complex. For example, they both use AES-256-CBC to encrypt files, but EDA2, and its variants, employ RSA-2048-OAEP to encrypt the AES-256 key. Another example is the opportunity to change the victim's wallpaper. Nonetheless, saying that DHC is a variant of Hidden Tear is technically correct. The creator of DHC tweaked the source code quite a bit but retains all of the functionality of its predecessor.
The assumed intent of DHC is to target an individual named Denis in the Leningrad Oblast region of Russia. The extortion link listed below is a website created to dox and shame this individual, who was allegedly 12 years old at the time of the creation of this ransomware. The website includes information about this individual's family and other personal information, including screenshots of their interactions and sensitive information about their family. It's uncertain if this ransomware was created as a prank or if it targeted a select few individuals. Whatever the reason, the ransomware targeted a minor. So, that is the extent of the analysis, and we are stopping here.
