Home > Computing > Poorly written malware demands a ransom, but never…

Poorly written malware demands a ransom, but never releases your files

Computer viruses are a lot like real-world viruses, with different mutations and rewritten versions constantly in circulation. Some of them are just rehashes of other spyware and malware, but virus designers are as prone to bugs as any other coder. A newly discovered version of the Power Worm, a ransomware virus written for the Power Shell, actually has a bug that causes it not to work as expected, and in a way that’s detrimental to both affected users and whoever wrote it, according to a report from Bleeping Computer.

A ransomware virus is actually a fairly simple concept. The malware goes through the infected system, encrypts all of the files, then demands payment, usually to a bitcoin address, in exchange for the decryption key that will unlock all of your files.

In the case of this special version of the Power Worm malware, the encryption method is executed properly, but the virus never stores the key that’s used to encrypt the files. That means that even if you decided to pay the ransom, which isn’t advisable, this particular virus won’t be able to decrypt the files.

The slip-up is actually a result of the hacker who wrote the code trying to cut a corner that’s often a sticking point for ransomware. Instead of assigning each user a new ID so that the encryption key can be recovered for them, the system is supposed to use the same ID and code for every user. Unfortunately, when the code was rewritten with this change in mind, an error was made that causes the key to be set to NULL after finishing.

The result is a computer full of files that are permanently encrypted, a sad situation to be sure, but at least affected users will know that paying would do them no good. You’ll know if you’ve been struck by this particular, poorly-written, version of the Power Worm bug if the DECRPYT_INSTRUCTION.html file it creates lists the ID# as qDgx5Bs8H, but again, paying the ransom isn’t advisable regardless of the origin of the malware.