Adaptative encryption method ransomware.
This ransomware project is an attempt to create a ransomware which is able to choose between few encryption methods (AES, Chacha20, RSA) in aim to optimize time performance. The ransomware is in two parts, the first one is the C2 which deal with key storage and generation. The second one is the ransomware executed on victim PC.
For now, this ransomware is only useable on Linux based system due to the way we handle the benchmark.
Usage of anything presented in this repo to attack targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.
I recommend you to use the provided docker compose to use this project, by following this advice you can skip this section. If you really want to use it without container feel free to setup it all by yourself, you'll find below what you need to install.
The C2 uses node to provide services, a postgreSQL database is used with it to store keys.
https://nodejs.org/en
https://www.postgresql.org/download/
For the ransomware you'll only need gcc in aim to compile the ransomware.
https://gcc.gnu.org/
You can find a docker compose file in the directory docker, by using the following command you'll be able to start the infrastructure.
docker compose up
In this infrastructure you can find the C2 and his database, furthermore there is also another container where you can use the ransomware in a safe way.
Once the project is started, you can have access to the endpoint of the nodeJS server on this following URL:
http://localhost:5000/api-docs/
Once the infrastructure is started, you have to connect to the victim container. To compile the ransomware use this following command:
make all
Once the ransomware is compiled, you can use it in two ways. The first one is in a sandbox for test purposes and the second one is unrestricted. By default, the unrestricted one will scan all following paths during the indexing process, feel free to modify it in the code:
/home/$USERNAME/Downloads/
/home/$USERNAME/Desktop/
/home/$USERNAME/Music/
/home/$USERNAME/Pictures/
/home/$USERNAME/Videos/
/home/$USERNAME/Documents/
About the sandbox mode the indexing process only scan the path /tmp/sandbox-ransomware/ where beforehand five files are created and fill with this text This is a useless file.
Warning: if you encrypt in sandbox mode you should decrypt in sandbox mode to be able to re-encrypt. This warning also applied if you use the unrestricted mode.
To encrypt in sandbox mode you can use the following command:
./ransomware --encrypt
For the unrestricted mode use this command:
./ransomware --encrypt --disableSM 286755fad04869ca523320acce0dc6a4
To decrypt in sandbox mode you can use the following command:
./ransomware --decrypt
For the unrestricted mode use this command:
./ransomware --decrypt --disableSM 286755fad04869ca523320acce0dc6a4
- Find files to encrypt
- Retrieve key for encryption from attacker server
- Retrieve key for decryption from attacker server
- Encrypt RSA
- Decrypt RSA
- Modification RSA pour gros fichiers
- Benchmark (local)
- Benchmark (serveur)
- Encrypt AES-256
- Decrypt AES-256
- Refactoring functions
- Encrypt Chacha20
- Decrypt Chacha20
- Main file
- Docker environment to test ransomware
- Daemon
- Dropper
- Multi thread encryption process
- Usage option
- Key generation
- Key storage in database
- Benchmark scoring
- HTTPS
- Refactoring victim ID
- Adapt benchmark scoring system
https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594
https://stackoverflow.com/questions/1722112/what-are-the-most-common-naming-conventions-in-c
- Trivial Variables: i,n,c,etc... (Only one letter. If one letter isn't clear, then make it a Local Variable)
- Local Variables: camelCase
- Global Variables: g_camelCase
- Const Variables: ALL_CAPS
- Pointer Variables: add a p_ to the prefix. For global variables it would be gp_var, for local variables p_var, for const variables p_VAR. If far pointers are used then use an fp_ instead of p_.
- Structs: ModulePascalCase (Module = full module name, or a 2-3 letter abbreviation, but still in PascalCase.)
- Struct Member Variables: camelCase
- Enums: ModulePascalCase
- Enum Values: ALL_CAPS
- Public Functions: ModulePascalCase
- Private Functions: PascalCase
- Macros: PascalCase
I typedef my structs, but use the same name for both the tag and the typedef. The tag is not meant to be commonly used. Instead it's preferrable to use the typedef. I also forward declare the typedef in the public module header for encapsulation and so that I can use the typedef'd name in the definition.