Ransomware - Windows Crypto Ransomware in Go

Ransomware - Windows Crypto Ransomware in Go | hack4.net

Windows Crypto Ransomware in Go

    Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

This project aims to build an almost functional crypto-ransomware for educational purposes, written in Go. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-2048 to secure the key exchange with server. It is composed of two main parts, the server and the malware itself. The server is responsible for store the Id and the respective encryption key, received from the malware binary during execution. The malware encrypt with your RSA-2048 public key a payload containing the id/enckey generated on runtime, sending then to the server, where it is properly decrypted with the respective RSA private key, and then persisted for future usage.


Project tasks

  • Run in Background (or not)
  • Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file
  • Without virus signature (at the moment)
  • Use RSA-2048 to secure the comunication with server
  • Stream encryption to avoid load an entire file into memory



You need Go at least 1.7

go get -v github.com/mauri870/ransomwarego get -v github.com/akavel/rsrccd $GOPATH/src/github.com/mauri870/ransomware

This project uses Glide for vendor management




Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let’s leave make do your job


If you like build the server for windows from a unix machine, run env GOOS=windows make

The malware will run in background. You can see what is going on by simply remove the -ldflags="-H windowsgui" from the ransomware section on Makefile before build

By default, the server will listen on localhost:8080. The client will use this host as the default url too.

You can put the server on any domain and start it. Simply overwrite the SERVER_URL constant on client/main.go before build and the malware will try to connect with this url instead



Feel free to run the commands specified on Makefile manually. A few things to known:

  • RSA Keys protected with password is not supported
  • The .syso file generated by rsrc must be in the same directory as ransomware.go during go build
  • the keys must be filled correctly inside the []byte conversion, private on server and public on ransonware.go

   After build, a binary called ransomware.exe, server/server.exe and unlocker.exe will be generated on the bin folder. The execution of ransomware.exe and unlocker.exe (even if it is compiled for linux/darwin) is locked to windows machines only.


Usage and How it Works

   Feel free to edit the parameters across the files for testing. Put the binaries on a correct windows test environment, start the server by double click or run then on the terminal. It will wait for the malware contact and persist the id/encryption keys

When double click on ransomware.exe binary it will run on background, walking interesting directories and encrypting all files that match the interesting file extensions using AES-256-CTR and a random IV, recreating then with encrypted content and a custom extension(.encrypted by default) and create a READ_TO_DECRYPT.html file on desktop

In theory, for decrypt your files you need send an amount of BTC to the attacker’s wallet, followed by a contact sending your ID(located on the file created on desktop). If your payment was confirmed, the attacker possibly will return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways.

Let’s suppose you get your encryption key back, you can retrieve it pointing to the following url:

curl http://localhost:8080/api/keys/:id

Where :id is your identification stored on the file on desktop. After, run the unlocker.exe by double click and follow the instructions.

And that’s it, got your files back


Server endpoints

The server has only two endpoints

POST api/keys/add – Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.

GET api/keys/:id – Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error

No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.