EduCrypt ransomware
EduCrypt ransomware teaches victims a lesson about being safe on the internet Reuters

A researcher has discovered a new ransomware dubbed EduCrypt that tries to teach a lesson to its victims about malicious software and being safe online.

Functioning on lines similar to other encrypting malware, EduCrypt also encrypts the files of victims. However, instead of demanding a ransom, it provides them with a password for free, along with a warning. EduCrypt is based on the open source Hidden Tear ransomware.

AVG security researcher Jakub Kroustek, who discovered this ransomware, says he was able to deobfuscate the program, which was designed to teach the victim a lesson. It encrypts a limited set of folders, and has a small amount of targeted file extensions. Most importantly it does not require to communicate with a Command & Control (C&C) server for instructions.

EduCrypt encrypts files from the following folders:


This ransomware encrypts files located in a set of folders that match certain extensions using AES encryption with a password of HDJ7D-HF54D-8DN7D. During the encryption, the malicious software will add the .isis extension to the filename.

Once the process is complete, it will create a note called Readme.txt on the victim's desktop, with a link to decrypt and information about what happened to the victim's files. The hidden file is located at %UserProfile% / Documents / DecryptPassword.txt and contains the password that can be used to decrypt files.

Kroustek recommends using the decryptor created by Michael Gillespie, although EduCrypt provides a link to a Hidden Tear decryptor.

Kroustek said, "Though I do not agree with the methods the developer used to try and teach victim's a lesson about being safe on the Internet, his statements are correct."

"Users need to be very careful these days about what they download and run from the Internet. Malware is running rampant and users need to be extra vigilant or the consequences can be costly," he added.