Today, I want to share with you a project I've been working on lately. I've decided to write a PoC of a Ransomware, for learning, security testing and mostly fun.
I developed the agent in C++ to work on windows platforms, using the wincrypt library from WinAPI.
Bear in mind that I haven't seen a lot of Ransomwares source code or disassembled code, and I developed this PoC from my point of view of how I would've implemented this project if I needed to.
The Ransomware agent starts with an HTTP request to the CnC server (written with Python Flask), sending his machine and windows information. The server in return, generates a Base64 encoded AES-256 key and a victim unique id and send it back to the agent. The server keeps track of the agent information in a DB, for later decryption and the agent saves the unique id in a text file locally, so it could use it later for a decryption request from the server. If the unique id is already found on the CnC's DB, new keys won't be generated so the agent won't run again on an already encrypted files.
The agent then, continues to the encryption part, using the key received from the server, and encrypting all file system, from the logical drives found (by GetLogicalDriveStrings) on this windows machine (this can be changed to encrypt only a custom path). The file types to encrypt can be changed to include/exclude any found files on the system (For the sake of this PoC, I chose to include ".doc", ".docx" and ".pdf" formats)
On decryption, the agent sends his unique id, saved earlier, to the C2 server. The server then searches it on his DB, and if found, sends back its corresponding AES key to start the decryption process on the same drives paths given earlier.
The code for this project can be found here.
*Please use this code only for educational and good purposes, I will not hold accountable for any misuse of this project.
**Also, run this code on safe environments only (preferably on a VM with a snapshot you can revert back to)