This is a simple variation of crypto-locker such as TeslaCrypt and Cryptor which aims to target data-file (amv,mp3,pdf,etc..).
The process begins by :
- Recursive directory scan
- List of sensitive files targeted
- Encrypting each file content with AES256 or RSA-2048 using a unique key
- Renaming the file with a random name
- Sending the path, old name, new name, and encrypting key to the malware server
######Note 1: I didn't use PKCS#5 padding since it slows down the process.
I rather ignore the last block of file which is not dividable by 16.
######Note 2:
The encryption process and manipulation of data are done in the CPU register instead of RAM.
This will accelerate and smooth data access.
Remove “Your personal files are encrypted” ransomware
KillDisk Ransomware Targets Linux; Demands $250,000 Ransom, But Won't Decrypt Files
Los Angeles College Pays Hackers $28,000 Ransom To Get Its Files Back
- Hal Finney's AES256 implementation