Skip to content

ykankaya/CryptoTrooper

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

LICENSE

LICENSE

 
 

LICENSE-WhiteBox

LICENSE-WhiteBox

 
 

README.md

README.md

 
 

bg.jpg

bg.jpg

 
 

cipher.sh

cipher.sh

 
 

decipher.sh

decipher.sh

 
 

list

list

 
 

ransom.html

ransom.html

 
 

whiteCipher

whiteCipher

 
 

whiteDecipher.sh

whiteDecipher.sh

 
 

whiteKey

whiteKey

 
 

Repository files navigation

CryptoTrooper

CryptoTrooper is the world's first Linux white-box ransomware for learning purpose

It requires :

  • Debian-based 64-bit OS with root - mostly used nowadays
  • Apache/Nginx - for Web service encryption and for changing the main page
  • MySQL/PostgreSQL - for database encryption
  • /root and /home - for personal data encryption

How it works :

  • Infection - the victim's server is exploited and infected somehow, gaining root privileges
  • Encryption - the ransomware generates a unique symmetric encryption key and encrypts the data
  • White-box - the white-box cipher uses the one-way white-boxed key and encrypts the key used for data encryption
  • Decryption - the victim sends to the attacker the white-box encrypted key and its initialization vector (IV), this key is decrypted by the attacker with its IV and the master key used to generate the white-box key, the true key is sent to the victim

Pros :

  • NO INTERNET CONNECTION IS REQUIRED AFTER INFECTION (since it doesn't uses public-key cryptography at all or any C&C)
  • Key-extraction protection
  • AES only
  • Anti-forensic
  • Random key generation
  • Radom IV

Cons :

  • Chowns white-box construction is broken (not the implementation, but the algorithm itself), thus the ransomware presents ABSOLUTELY NO THREAT AND NO INTEREST FOR MALICIOUS PURPOSE
  • CBC mode isn't the best-one for random data and not the fastest
  • 128-bit key-length should be longer
  • The same key is used for every file
  • The same hardcoded white-box key is used for every execution
  • No code obfuscation (except white-box)

Purposes :

  • Learn ransomware's implementations and concepts, in order to defeat it
  • Practice reverse engineering
  • Be prepared for new and advanced threats
  • Demonstrate the ransomware's power and potential

##How to

Prepare environment

apt-get install apache2 nginx-common mysql-server postgresql

Prepare ransomware

cd /
mv $CRYPTOTROOPER_SOURCE_DIRECTORY/* .


*Encrypt*
```bash
/cipher.sh &

It will encrypt the data with AES-128-CBC with a randomly generated key and a random IV for each file

Than it will use white-box to one-way encrypt this key and will generate key.enc and key.iv

The victim now has to send both files to the attacker

If you visit the local Website, you will notice the message

firefox localhost &

After payment

mv key.enc key.iv $YOUR_DIRECTORY
./whiteDecipher.sh

It will decrypt the victim's key that you may send to it

Decrypt

mv key /
/decipher.sh

Everything should get back to as it was

###Notes

Encryption isn't just encoding, but mathematical encoding

White-box encryption isn't just obfuscation, but mathematical obfuscation

The only way to defeat evil is to become its master

"Research is to see what everybody else has seen, and to think what nobody else has thought."

Albert Szent-Gyorgyi

About

The world's first Linux white-box ransomware

Resources

Readme

License

MIT, BSD-3-Clause licenses found

Licenses found

MIT
LICENSE
BSD-3-Clause
LICENSE-WhiteBox
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Shell 64.1%
  • HTML 35.9%