Skip to content

Latest commit

 

History

History
185 lines (138 loc) · 5.87 KB

README.md

File metadata and controls

185 lines (138 loc) · 5.87 KB

It's so easy! (Ransomware PoC)

Ransomware: Attention

ATTENTION! This program code is malicious and can encrypt or/and delete personal data!

Disclaimer

Attention! Use of the code samples and proof-of-concepts shown here is permitted solely at your own risk for academic and non-malicious purposes. It is the end user's responsibility to comply with all applicable local, state, and federal laws. The developer assumes no liability and is not responsible for any misuse or damage caused by this tool and the software in general.

What?

This is a Ransomware Concept written in Python, Go and C99. Yes it is malicious. Yes, if you do that on your own VMs it is okay. Yes, if you misconfigured the architecture or network and encrypt your own files they are gone forever.

Why?

This PoC I've written for some educational projects. Only for that! And because I am very interested in the topics of how malware is detected and works. :D By the way, on Windows only 4 from 71 AV-Scanners detected the packaged and obfuscated client. On Linux only 1!

How malicious is it?

Very, by using a alternative hybrid technique! The program uses AES-256 symmetric encrption mode for file encryption. The Keys where sent by the server using TLSv1.{2,3}. The Keys where directly deleted after (en-) decryption.

forthebadge made-with-python

Setup

  • Clone the repo: git clone https://github.com/bstnbuck/ItsSoEasy

Structure

  • Python server: src/server

  • Python GUI: src/python-gui
  • Python command line: src/python-cmd
  • Go: src/go
  • C99: src/c99
Python GUI Python command line Go C99

Requirements

  • Python 3.7.9 or higher
  • PyInstaller 4.2
  • to install the requirements use pip with following command:
    • python3 -m pip install -r requirements.txt
    • installation of Tkinter with Linux or Windows commands

Files:

  • client.py -> the ransomware client
  • setup.py -> the first executed program at packaged state -> starts the client
  • server.py -> the server application
  • requirements.txt -> all exclusive requirements for the program-code

Build

Client

pyinstaller –-onefile –-uac-admin itssoeasy.py

Server

  • just start on server VM with python3 server.py

Requirements

  • Python 3.9
  • PyInstaller 4.2
  • to install the requirements use pip with following command:
    • python3 -m pip install -r requirements.txt

Files:

  • client.py -> the ransomware client
  • requirements.txt -> all exclusive requirements for the program-code

Build

pyinstaller –-onefile –-uac-admin itssoeasy.py

Requirements

  • Go 1.20 and higher

Files:

  • main.go -> the ransomware client
  • helper_<os>.go -> special syscall functions on each OS

Build

  • go build .

Requirements

Windows

  • MinGW-W64 8.1.0 (gcc)

Linux

  • gcc 10.2.1 or similar

Files:

  • main.c -> ransomware client
  • src/helper.{c,h} -> helper functions
  • src/b64.{c,h} -> base64 encode and decode
  • src/openssl -> openssl functions needed for Windows statically linking

Build

Windows

gcc main.c src/b64.h src/b64.c src/helper.h src/helper.c src/openssl/ssl.h src/openssl/aes.h src/openssl/libssl.a src/openssl/libcrypto.a src/openssl/libz.a -lws2_32 -lgdi32 -lopengl32 -Wall -o itssoeasy_client_win.exe

Linux

gcc main.c src/b64.h src/b64.c src/helper.h src/helper.c -lcrypto -lssl -Wall -o itssoeasy_client_linux

System-, Network architecture & Usage (only for educational testing!):

This is the test-environment I've used. Network Overview

  • Server: VBox Debian Linux Buster (Version 10) with

    • host-only-adapter
    • static ip: paste it into client file
    • for example Apache2 with website for delivery
    • local SQLite (nothing to do...)
      • database itsSoEasy and table clients
        • columns:
          • id : int, primary key, no-null
          • userIdentity : text, no-null
          • userKey : text, no-null
          • userIV : text, no-null
          • additional : text
    • itsSoEasy-Server -> server.py:
      • port 6666
      • creates logging file
      • needs certs folder in the same directory to start TLS-connection
  • Client (Python GUI, others may have less functions):

    • NAT (internet and internal ips) -> needs no static ip!
    • Ubuntu 20.04 (Focal Fossa), Windows 10
    • for example usage of precompiled binarys:
      • per delivery on website from server
    • ATTENTION: will encrypt whole Documents or a special directory in it on both os!

    • automatically requests a decryption after several seconds
    • ATTENTION: debugging will be detected!

      • At the begin, process list will be analyzed
      • during execution time will be taken, if more than 1,5 seconds programm opens https://google.de and kills itself.

        -> ATTENTION for vboxes with minimal ram or hdd-disks usage

      • if event killed itself, start again, process will do his thing (encryption or decryption)
    • if not payed the ransom, after restart, it starts automatically
    • killing process with STRG-C will not work!
    • removes itself and all his created files automatically when procedure is done

Full Procedure

procedure

Some screenshots while ItsSoEasy (Python-GUI) is in action :D

  • A friendly welcome message linux_whoops windows_whoops

  • How to pay (opened in default browser) ransom_message

  • The Clou: Is it easy enough for you? ;) the_clou