20

I'm working on malware analysis at my university and I'm trying to develop ransomware. I'm planning to publish the source code after it's finished. Is there any open source ransomware sample so I can take a look?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
Onsur
  • 361
  • 2
  • 5
  • 2
    You prooobably could get an ransomware .exe and try to decompile it. But I doubt this could be successful. You should do a software planning about what you need to do. Remember that most of this software is created in taking control of all the system. – NathanWay Aug 12 '15 at 01:46
  • 1
    Sometimes the source code gets leaked by someone who paid for it ([example #1](http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/), [example #2](https://threatpost.com/carberp-source-code-leaked/101070/)). – Matthew1471 Mar 25 '16 at 22:02
  • Uhm, leaked source code does not qualify as open source. Open source gives your rights to use the source too. – Oskar Skog May 17 '17 at 10:53
  • 1
    @OskarSkog Not true. MS-DOS has recently been made open source, but you have no rights to use it for anything. – forest May 14 '18 at 04:45

5 Answers5

16

There is an open source ransomware called Hidden Tear. The code encrypts files with the following extensions: ".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd" by default with AES 256 bit encryption.

It is open source so it could be easily customized to not only look for additional files but also the way encryption is done.

galoget
  • 1,414
  • 1
  • 9
  • 15
void_in
  • 5,541
  • 1
  • 20
  • 28
  • See https://securelist.com/blog/research/73565/hidden-tear-and-its-spin-offs/ . It was created 'to “teach” security researchers how ransomware works'. It encrypted only files in a certain directory ("test"), but could trivially be modified for actual malware use: Useful for criminals who lacked the skills to write ransomware themselves. As such, its being open source benefited these unskilled ransomware developers (whatever the intention), not the victim (who might be considered the "end-user", depending on your point-of-view). – John B. Lambe Sep 07 '16 at 13:23
  • The developers of this do appear to have done what the OP was proposing to do. In both cases, I wonder whether the developers didn't foresee or didn't care about the fact that they were providing a free product to be used for a criminal purpose. It does seem an odd thing to do: To give one's time altruistically to facilitate criminals in defrauding people. – John B. Lambe Sep 07 '16 at 13:43
12

I doubt you'll find ransomware source code floating around in the general public. I'd guess there is code out there somewhere but I wouldn't risk visiting shady sites on the "Darknet" (I really hate that term).

(Un)fortunately, ransomware is not very complex. For a university project, simply encrypting and replacing files in ~/Documents is probably good enough. The trick is making the decryption key only obtainable through you.

Encryption:

  1. Generate Symmetric Key K
  2. Encrypt all files in ~/Documents with K
  3. Send K to Server
  4. Erase all traces of K

Decryption:

  1. Obtain K from server.

  2. Decrypt files with K

I know that notorious ransomware use Asymmetric Encryption, but it actually isn't necessary at all. For example, improperly implemented RSA by CryptoDefense actually made it easier to write automated decryption tools, because they didn't realize that a Windows Crypto API keeps local copies of generated RSA Private Keys. Putting blind faith in a crypto system won't make it secure. What's important is that the decryption key is not recoverable on the system. Whether or not this is done by zero'ing memory or encrypting K with an RSA Public Key really does not matter.

David Zech
  • 281
  • 1
  • 8
  • *"darknet (I really hate that term)"* I've sort-of come to terms with it after seeing Wikipedia has an article both on *darknet* and *deep web*, and the definitions are surprisingly reasonable. The media might still use it for any digital network that's unknown to them (if you setup a bunch of ssh tunnels and have 100 people sharing unix tips, they'll call it a deep web or darknet because they don't know how to access it), but at least it's a well-defined and reasonable term. More or less. https://en.wikipedia.org/wiki/Darknet & https://en.wikipedia.org/wiki/Deep_web – Luc Apr 28 '17 at 21:15
  • @Luc yeah, in the last year or two the word has become ubiquitous, so it's fine. – David Zech Apr 29 '17 at 21:31
  • See [hft's answer](https://security.stackexchange.com/a/158367/2755) for a method to use asymmetric cryptography for ransomware without ever having the private key in the victim's machine. – Lie Ryan May 14 '18 at 23:53
7

No. There is not and I am quite sure there will never be: imagine nuclear weapons are available to buy in the shop.

The spirit of the Open Source community is luckily investing positive efforts to develop tools that protect users ranging from anti viruses such as ClamAV to web vulnerability scanners such as Grabber, passing by tools that are rather intended to assess users' systems such as those you can find in Kali Linux used for pentesting (of course, you can always use the knife to kill someone instead).

But it is true that there are some open source nefarious tools such as ZombieBrowserPack which is a plugin can be manipulated remotely to steal authentication credentials and even bypass two-factor authentication mechanisms such as the ones implemented by Yahoo and Google, or simply hijack your Facebook account and much more. However, this must not lead to misunderstanding: this plugin is developed by Zoltan Balazs as a POC for academic purposes as similar other tools in the same context: virus code is present freely on Internet but it is intended for academic purposes and it can not harm because any malware which code is released its life is ended as anti-virus companies conceive a protection against it.

3

"The Zoo" is a good source of malware for research, including some ransomware. This, for example, is ransomware:

Modern ransomware does not typically use just a symmetric key or operate via the mode described in some of the other answers. A method of operation more closely related to "real world" ransomware looks like this:

  • Generate a unique asymmetric key pair on the ransomware server
  • Send the public key to the victim machine for use with ransomware client (already lying in wait on victim machine)
  • For each file in list of files to encrypt:
  • ... generate random symmetric key (e.g., AES key)
  • ... encrypt file with random symmetric key
  • ... encrypt symmetric key with asymmetric public key
  • ... replace file with symmetric-encrypted file concatenated with public-key-encrypted symmetric key

In this manner, each encrypted file has its own symmetric key encrypted with the unique public-key. Thus the only possibility of recovery is by purchasing the private key, which only exists on the ransomware server.

galoget
  • 1,414
  • 1
  • 9
  • 15
hft
  • 4,910
  • 17
  • 32
2

You can visit this link:

You will be able to understand how the ransomware works in encrypting and decrypting files. It's written in C and Python too. Good luck!

galoget
  • 1,414
  • 1
  • 9
  • 15
Franc
  • 21
  • 1