In last few year you can heard news about ransomware virus which locked the computer and files encrypted by malicious programs designed to extort money from users.
And previously we discuss about how to protect your system from Ransomware virus but today i am going to show you how you can create your own Ransomware virus.
How to Create Your Own Ransomware Virus?
Note: This project is purely academic, use at your own risk. I do not encourage in any way the use of this software illegally or to attack targets without their previous authorization. The intent here is to disseminate and teach more about security in the actual world. Remember, security is always a double-edged sword.
[tmh_article_ads]
What is Ransomware Virus?
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
Project Summary
This project aims to build an almost functional crypto-ransomware for educational purposes, written in Go. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-4096 to secure the key exchange with server. Yeah, a Cryptolocker like malware.
Dear candidates can check your Speed Post Tracking for Courier status, Parcel detail, the exact location of the consignment.
It is composed of two main parts, the server and the malware itself.
You have to see : Best Snapchat Tips, Tricsks and Hidden Secrets ( Latest )
The server is responsible for store the Id and the respective encryption key and possibly act as a Command and Control server in the near future.
The malware encrypt with your RSA-4096 public key any payload before send then to the server. This approach with the https transport together make the security and authentication almost unbreakable (in theory).
Project tasks
Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file
Without virus signature (at the moment)
Use RSA-4096 to secure the authenticity
HTTPS and HTTP\2 Transport by default
Stream encryption to avoid load an entire file into memory
Walk all drives by default, including usb’s and network locations
Lock registry entry with hash digest(maybe SHA-256) to identify an infected victim
Tor or other approach to hide the connection with the C&C see issue 3
Docker image for compilation
[tmh_article_ads]
You can have: Grammarly Discount Code
Building the binaries
DON’T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT!
go get -v github.com/mauri870/ransomware cd $GOPATH/src/github.com/mauri870/ransomware
Docker
# You can compile the server for windows using env GOOS=windows make instead of make ./build-docker.sh make
Done! The binaries live on the bin folder.
Local
You need Go at least 1.8 with the $GOPATH/bin
in your $PATH and $GOROOT
pointing to your Go installation folder
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let’s leave make
do your job:
make deps make
If you like build the server for windows from a unix machine, run env GOOS=windows make
.
For developers : Web Development – Most Used by the Programmers
DON’T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT!
Usage and How it Works
The malware will run in background. You can see what is going on commenting the HIDDEN line on Makefile before build
By default, the server will listen on https://localhost:8080
. The client will use this host as the default url too.
You can put the server on any domain and start it. Simply overwrite the SERVER_HOST
and SERVER_PORT
on Makefile before build and the malware will try to connect with this url instead
After build, a binary called ransomware.exe
, server
/server.exe
and unlocker.exe
will be generated on the bin folder. The execution of ransomware.exe
and unlocker.exe
(even if it is compiled for linux/darwin) is locked to windows machines only.
Feel free to edit the parameters across the files for testing. The most important parameters are defined in cmd/common.go
and Makefile
.
Put the binaries on a correct windows test environment and start the server. It will wait for the malware contact and persist the id/encryption keys
When double click on ransomware.exe
it will run in background by default, walking interesting directories and encrypting all files that match the interesting file extensions using AES-256-CTR and a random IV for each file, recreating then with encrypted content and a custom extension(.encrypted by default) and create a READ_TO_DECRYPT.html and FILES_ENCRYPTED.html files on desktop.
You must know : Must to Know Things About CryptoCurrency
In theory, to decrypt your files you need to send an amount of BTC to the attacker’s wallet, followed by a contact sending your ID(located on the file created on desktop). If your payment was confirmed, the attacker possibly(or maybe not) will return your encryption key and the unlocker.exe
and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.
Let’s suppose you get your encryption key back, you can retrieve it pointing to the following url:
curl -k https://localhost:8080/api/keys/:id
Where :id
is your identification stored in the file on desktop. After, run the unlocker.exe
by double click and follow the instructions.
[tmh_article_ads]
That’s it, got your files back ?
Download Source Code
Server endpoints
The server has only two endpoints at the moment
POST api/keys/add
– Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.
GET api/keys/:id
– Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error.
The end
As you can see, building a functional ransomware, with some of the best existing algorithms is not dificult, anyone with some programming skills can buit that in any programming language.
Share your thoughts