Ransomware Author Insults Creator of Decryption Tool in Malware’s Embedded Strings

The author of the Radamant ransomware kit has insulted the researcher responsible for creating a decryption tool in some of the malware’s new embedded strings.Shortly before Christmas Eve, Fabian Wosar of EmsiSoft published the decrypting tool on his company’s website after discovering a weakness in Radamant’s encryption algorithm, reports Softpedia.After identifying their infected files by tracing the use of the “.RDM” file extension, users can download the tool, run it, complete the licensing agreement, select the infected files, and click “Decrypt”.The decryption process ranges in duration from a few minutes to more than a day depending on how many files have been encrypted.Shortly thereafter, the malware’s author came out with a second version that encrypts files using the “.RKK” extension.But that’s not all that changed. Lawrence Abrams of Bleeping Computer reports that the developer also voiced his displeasure against Wosar and EmsiSoft in some of the ransomware’s core features.For example, the embedded strings “ThisForHipFabianWosarANDF*CKYOU”, “emisoft.f*ckedbastardsihateyou”, and “radamantv2_emisoft_f*cked” appear in the malware executables. Additionally, the author changed the domain name of one of the command and control (C&C) servers to “emisoftsucked.top”.

Ransomware Author Insults Author of Decryption Tool in Domain Names

Source: Bleeping ComputerFar from displeased, however, Wosar has taken the revisions as a compliment:“I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that,” he explained. “Just next time, please try to get the company name right. But it’s a common mistake, so I let that one slide.”Wosar released a revised decryption tool just two days after the Radamant developer published the second version of his ransomware. That has not stopped the malware’s author from offering his product as a ransomware-as-a-service (RaaS) and from reportedly working on a third version. Even so, at 0-2 Wosar, the prospects for Radamant are looking bleak indeed.To learn how you can protect yourself against Radamant and other forms of ransomware, please click here.

Leave a Reply