Ransomware - EDA2

EDA2
Decryptor Available
Yes
Description

EDA2 is the direct descendant of Hidden Tear, the first well-known open-source ransomware. Utku Sen published both EDA2 and Hidden Tear on GitHub in 2015; EDA2 shortly after Hidden Tear. These ransomware share similar functionality, but EDA2 has a few more capabilities. For example, both use AES-256-CBC to encrypt files, but EDA2 uses RSA-2048-OAEP to encrypt the AES-256-CBC public key. This hybrid approach is common amongst threat actors to prevent victims or researchers from creating a decryptor. EDA2 also can change the victim's wallpaper upon execution, which is the default ransom note. This ransom note has a default name of ransom.jpg, but the user can easily change this and more.

Utku Sen has since apologized for creating ransomware that has caused damage from hundreds of known variants. Even though he claims the ransomware was created for educational purposes only, the opportunity for abuse was ripe for the picking. Unfortunately, before being abandoned, the original repository was cloned by several people and now exists on various online repositories.

Ransomware Type
Crypto-Ransomware
FOSS
First Seen
Last Seen
Lineage
Threat Actors
Tipo
Actor
Individual
Utku Şen
Extortion Types
Direct Extortion
Encryption
Type
Hybrid
Files
AES-256-CBC
Key
RSA-2048-OAEP
File Extension
<file name>.<file extension>.locked
Ransom Note Name
ransom.jpg