Executioner Ransomware is a Fine Example of Sloppy Coding

In the world of ransomware, we often see new types of malware which are not performing the way one would expect. In the case of Executioner ransomware, this becomes all the more apparent. Despite looking quite intimidating, the developer managed to mess up the encryption routine altogether. As a result, Executioner poses no real threat whatsoever, especially not when considering there is no dedicated distribution campaign.

Executioner Ransomware is a Joke

When cybercriminals make it easy for everyone to create malware, it is only to be expected some versions of malicious software will underperform compared to others. Take the Executioner ransomware, for example, which poses no real threat. In fact, it is an example is how one should NOT create a new ransomware altogether. In fact, it may be one of the worst types of malware we have seen in recent years.

More specifically, the person responsible for developing Executioner may want to go back to the drawing board. Ransomware is mainly feared because the malicious software encrypts computer files, and often provides no convenient way to decrypt the files without paying the ransom amount. Executioner is a welcome exception in this regard, as the developer has messed up the encryption process quite a bit.

Moreover, it appears Executioner is based on a rather old type of ransomware code, known as EDA2. This particular building kit has been around since 2015. It is evident security researchers have come up with a way to nullify this threat over the past year and a half. This also means Executioner can easily be decrypted without making any payment whatsoever. If the developer aimed to get rich overnight, that plan has failed before the malware was even distributed.

Things only get stranger as you look deeper into how Executioner works. The ransomware strain avoids encryption of the Windows, Program Files, and Program Files (x86) folders altogether. That is rather remarkable, considering one would expect the ransomware to at least encrypt a portion of the subdirectories in these folders. Victims are asked to visit a darknet website to receive decryption instructions, which is not uncommon in the world of malware these days.

Since there is no command & control server associated with Executioner ransomware, the information about infected computers is sent via email. This information will include the computer name, IP address and the decryption key itself. This latter aspect is incredibly strange, to say the least, as this allows for the decryption key to be intercepted with relative ease. It is one of the downsides of creating a new type of ransomware based on a tool developed years ago.

It turns out one can easily decrypt Executioner, as the encryption used by this malware is rather easy to break. However, there is no decryptor available right now, since it does not appear Executioner is part of a distribution campaign. Whether or not that is a conscious decision, remains unknown right now. Anyone hit by this ransomware can reach out to Michael Gillespie on Twitter to get rid of this malware without paying any ransom.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.