When Turkish computer programmer and Istanbul Bilgi University student Utku Sen created an open-source computer virus called “eda2,” he didn’t intend for it to hurt anyone.
Then everything got out of control.
Eda2, like Sen’s previously published “Hidden Tear,” was created with the intention of tricking amateur hackers (or “script kiddies”) into using it.
Both eda2 and Hidden Tear are a type of malware known as “ransomware” which encrypts a victim’s files, leaving them inaccessible unless the victim pays for the decryption key.
Sen’s idea was to leave an exploitable bug in the code of the virus, wait for hackers to use it instead of other available options, and then decrypt victims’ files via the so-called “backdoor” that he left in the code. When hackers had attempted to use Hidden Tear after Sen released it last August, he successfully swooped in and saved the day.
So everything was going according to plan when, late last month, hackers took Sen’s eda2 code and used it to demand money from unsuspecting victims with a virus called “Magic.”
But this time, his attempt to break his own code fell flat.
The creators of the Magic virus were deploying the virus from a free website. All Sen should have had to do was retrieve a database of decryption keys through a hole he left in the virus’ “command and control” code, but there was a problem: the company hosting the ransomware’s control server shut down the website and the decryption key database was deleted.
It was a possibility Sen hadn’t considered.
Admitting his failure, Sen took down the code for eda2 and apologised. The saga didn’t end there.
The developer of Magic appears
Days after Sen shut down the service, someone using the name “jeanclaudevandan” appeared on a support thread on the popular computer help site Bleeping Computer claiming to be behind the Magic virus. Jeanclaudevandan seemed sympathetic and offered to help another poster who had lost images of his newborn son.
Sen joined the support thread not long after, and Jeanclaudevandan confronted him directly — by making a ransom offer.
Jeanclaudevandan told Sen that if he took down the code from his earlier project, Hidden Tear, and paid 3 bitcoins (about $1100), then jeanclaudevandan would make the decryption keys available for the victims of eda2.
“This offer [is] only valid for 1 hour,” jeanclaudevandan wrote.
Lawrence Abrams, Bleeping Computer’s founder, stepped in to help negotiate and asked jeanclaudevandan to drop the bitcoin ransom. Abrams had previously tried to to convince Sen to take down his “educational” projects.
“My goal when trying to broker a deal with [jeanclaudevandan] was to get Hidden Tear taken down and the keys back for the victims,” Abrams told Business Insider.
The pseudonymous poster agreed to the deal, but threatened to spread the virus even further if Sen published any new projects in the future.
Despite the deal brokered by Abrams, jeanclaudevandan also tried to provoke Sen by making disparaging remarks about Sen’s Turkish background and including the name of Russian President Vladimir Putin in a decrypting tool sent to a victim on the forum.
Sen told Business Insider that he initially refused to comply with jeanclaudevandan’s demand because he believed he was being attacked for political reasons.
Sen also said the negotiation process was far nastier in private emails than it appeared on Bleeping Computer.
“They [threatened] to attack the company which I work for. Their plan was damaging my career and reputation. Unfortunately, I couldn’t risk my career and accepted their demand,” Sen said.
Sen says that he still doesn’t understand the motives of the people behind the Magic ransomware.
On the forum, jeanclaudevandan claimed to be motivated by a desire to protect the community from free tools that could be used maliciously and effectively — despite appearing to have done just that.
Sen theorised that, despite claims to the contrary, jeanclaudevandan was a virus developer and saw Sen’s projects as competition.
Abrams doesn’t understand it either. According to Abrams, jeanclaudevandan claimed to have asked Sen to take down eda2 earlier and only made the Magic ransomware when Sen refused.
Jeanclaudevandan originally offered to explain himself to Business Insider, but did not respond when we tried to follow up.
What’s next for Sen
According to Sen, the eda2 project was meant to be a tribute to a woman named Eda who had encouraged a then-ambivalent Sen to publish his original ransomware project, Hidden Tear. Sen has since lost touch with her.
Sen blamed the failure of eda2 on his impatience to publish the code. He published it without extensively testing it, hoping to catch the attention of the now-absent Eda, and missing the mistake that led to the missing decryption keys.
Thanks to the deal between Sen and jeanclaudevandan, the victims of “Magic” have since been able to restore their files, but the experience has convinced Sen to get out of the ransomware game.
“I won’t develop any ransomware in future,” Sen said. “Currently I’m working on a AI project in my university. I will focus on that until summer.”