Ransomware - Windows Crypto Ransomware in Go
Windows Crypto Ransomware in Go
Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.
This project aims to build an almost functional crypto-ransomware for educational purposes, written in Go. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-2048 to secure the key exchange with server. It is composed of two main parts, the server and the malware itself. The server is responsible for store the Id and the respective encryption key, received from the malware binary during execution. The malware encrypt with your RSA-2048 public key a payload containing the id/enckey generated on runtime, sending then to the server, where it is properly decrypted with the respective RSA private key, and then persisted for future usage.
Project tasks
- Run in Background (or not)
- Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file
- Without virus signature (at the moment)
- Use RSA-2048 to secure the comunication with server
- Stream encryption to avoid load an entire file into memory
Installation
You need Go at least 1.7
go get -v github.com/mauri870/ransomwarego get -v github.com/akavel/rsrccd $GOPATH/src/github.com/mauri870/ransomware
This project uses Glide for vendor management
DON’T RUN ransomware.exe ON YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT!
Build
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let’s leave make
do your job
make
If you like build the server for windows from a unix machine, run env GOOS=windows make
The malware will run in background. You can see what is going on by simply remove the -ldflags="-H windowsgui"
from the ransomware section on Makefile before build
By default, the server will listen on localhost:8080
. The client will use this host as the default url too.
You can put the server on any domain and start it. Simply overwrite the SERVER_URL
constant on client/main.go
before build and the malware will try to connect with this url instead
Manually
Feel free to run the commands specified on Makefile
manually. A few things to known:
- RSA Keys protected with password is not supported
- The .syso file generated by rsrc must be in the same directory as
ransomware.go
duringgo build
- the keys must be filled correctly inside the
[]byte
conversion, private on server and public onransonware.go
After build, a binary called ransomware.exe
, server
/server.exe
and unlocker.exe
will be generated on the bin folder. The execution of ransomware.exe
and unlocker.exe
(even if it is compiled for linux/darwin) is locked to windows machines only.
Usage and How it Works
Feel free to edit the parameters across the files for testing. Put the binaries on a correct windows test environment, start the server by double click or run then on the terminal. It will wait for the malware contact and persist the id/encryption keys
When double click on ransomware.exe
binary it will run on background, walking interesting directories and encrypting all files that match the interesting file extensions using AES-256-CTR and a random IV, recreating then with encrypted content and a custom extension(.encrypted by default) and create a READ_TO_DECRYPT.html file on desktop
In theory, for decrypt your files you need send an amount of BTC to the attacker’s wallet, followed by a contact sending your ID(located on the file created on desktop). If your payment was confirmed, the attacker possibly will return your encryption key and the unlocker.exe
and you can use then to recover your files. This exchange can be accomplished in several ways.
Let’s suppose you get your encryption key back, you can retrieve it pointing to the following url:
curl http://localhost:8080/api/keys/:id
Where :id
is your identification stored on the file on desktop. After, run the unlocker.exe
by double click and follow the instructions.
And that’s it, got your files back
Server endpoints
The server has only two endpoints
POST api/keys/add
– Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.
GET api/keys/:id
– Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error
Post a Comment