Ransomware Development

Hello everybody
It’s been a while since I started programming a RANSOMWARE.
It’s based on " EDA2 " and " HiddenTear " with the ability to automatic windows exploitation and behave like a worm
But programming this is a bit hard as a single-person job, So if anyone of you wants to help, I will happy.
Even a good comment can make a lot of help.
So feel free and Express your comments.

3 Likes

What programming language?

C#
The core will run as windows service

Have you figured out a design or at least know how it will be put together to some degree?

I figured it out somehow


It contains 5 part

  1. The Core: Just Encrypting Data | as Windows Service

  2. Additional service that checks core every specific time and it will not allow system to shutdown or restart

  3. Additional service that after the core did its job, it will kill core service and wipe core file

  4. GUI: It just shows messages and will checks whether the entered password is correct or not and if it be correct, it will run decrypter, after decrypter done its job, it will overwrite all related files and wipe them | Disable: Desktop, Alt+F4, Task Manager, Regedit

  5. Decrypter: Decrypting encrypted files

2 Likes

Of course we assume this is just for educational purposes :wink: Do you intend to make your Ransomware easily beeing “broken”? You can easily decompile C# back to IL code, so malware analysis should not be hard. If you store the decryption key on the client and only “check” the password on the client, there’s a very high chance someone finds a bypass. Or did I misunderstand you here? It would be better to use a C&C server which stores the key along with an ID and the client discards it after encryption is finished

3 Likes

Educational purposes, Of course :wink:
Codes are obfuscated and the program packed with packing tools.
Also, the decryption password will not store in victim machine, the password will generate before encryption phase and will be sent to a server on the TOR network, I should add this that password will be encrypted before sending to server


Mmm … and one more thing, The decrypter will encrypt with a different key+algorithm than the key to which the files are encrypted with that

1 Like

There’s no need for the decryption key to be sent anywhere. Using public key crypto, you can simply encrypt the decryption key with a public key and leave it on the victim’s machine as there’s no way (currently) for anyone to be able to recover it. For generating the key pairs, see here: https://security.stackexchange.com/questions/159545/ransomware-encryption-keys

2 Likes

Im a n00b when it comes to stuff like this but I ran across this article and it seems relevant to this conversation

Ghost Hook Bypass

2 Likes

Just like EDA2 and new one WANNACRY(a little bit)
It is a good idea


That was interesting technique


What if I change the scenario: (Default)each victim machine has its own randomized key, then hash key with SHA then hashed data use as AES encryption key,[in default state, the key generated in this step will use to encrypt files](new scenario)encrypt AES output with public key[the final key generated], then use this to encrypt files

But as John Constantine said " always there is a catch "
So, if I use a fixed public key to encrypt files, when the first victim get private key to decrypt his/her files, it can share key in public and all others can decrypt their files
What can I do for this?
I have an idea, at the beginning of the program, the ransomware will send PC_name and USER_name to a server, the server will generate public/private key and will store both+victim details in its db and will send the public key to the victim.


I was thinking about another scenario.
How if I Encrypt files with public key?

Again, There is a catch. Here problem is file size
Because RSA encryption only works if the file size is lesser than the public modulus n. This is because while decrypting the file the modulus over n is applied to the encrypted file.
So, I think I should fragment files
(This is just a raw idea)


Hovov, It was finally over(I Think)

I’d advise against it and suggest it be generated as required using a CSPRNG.

No one gets any private keys, hence the name private. The server should decrypt the public-key-encrypted symmetric key and then send that back to the victim.

There will be an issue if there is no internet connection. The link I provided has already addressed this problem where WannaCry will generate a fresh key pair and then will encrypt the generated private key with a local master public key which only the server has its private key.

I will check that out.


I don’t know too much about this but I think when victim paid money and he/she wants to decrypt files, it should have the private key, so how he/she can decrypt files without the private key?


This sounds good :thumbsup:

The symmetric key used to encrypt the files is encrypted with a uniquely generated public key. If the victim wishes to decrypt their files, they send it to the server so that it can be decrypted with the private key to retrieve the symmetric key. The symmetric key is sent back to the victim which is used to decrypt the files.

1 Like

silly statements


What you think about this?

Are you saying that you want to encrypt the files using RSA? If so, then that is not how it works. You generate a symmetric key for that task. The RSA’s job is to secure the symmetric key so that no one has access to it.

1 Like

Exactly. Do not use the symmetric key, even do not generate that.
I think since files are ultimately made of bytes (bits actually) it can be done

Then how will you encrypt the files? Using the public key?

I do not know exactly how it is possible but yeah.
Any advice?

Why don’t you wanna use AES for encrypting the files and encrypt the key with RSA?

Considering that RSA is based off intense calculations with huge numbers, the speed of encryption will be much slower than that of a symmetric cipher.

2 Likes