It’s not unusual for malware authors to insert little messages to the security industry into their code. Sometimes there’s an element of almost-friendly banter, a bit like a naughty child sticking its tongue out, like the sometimes ambivalent relationship between virus writers and antivirus researchers on alt.comp.virus and other newsgroups. I don’t visit those groups any more, but towards the end of the period when I did visit, most of the traffic seemed to be submerged in a flood of abuse and vituperation (not to mention bits of malware), which is one of the reasons I stopped visiting.
Still, those who have the delightful job of disassembling malware still often find little messages from their authors. Usually they seem to be at the abusive end of the spectrum, aimed at companies and researchers who’ve been inconveniently efficient at detecting earlier versions of the malware.
Such seems to be the case with the author of the Radamant ransomware kit, as reported by David Bisson for Tripwire – Ransomware Author Insults Creator of Decryption Tool in Malware’s Embedded Strings – concerning how EmsiSoft’s Fabian Wosar, having published a tool for decrypting files compromised by Radamant, was ‘complimented’ by the inclusion of strings such as .rdata:0040C030 00000021 C ThxForHlpFabianWosarANDbleepYOU!! in a subsequent version.
Happily, Wosar has managed to survive the trauma. He commented:
I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that.
And came up with a revised decryption tool within two days.
The purveyor of the Radamant ‘Ransomware as a Service’ tool is apparent working on another version.
David Bisson published a more general article on ransomware and how to deal with it back in January 2015. I’ll be adding that to the resources page at the same time as I add a pointer to this article.