All Posts

Topics

Cybersecurity
Cloudcomputing

Share

Project
5 min read

Ransomware

Overview

Ransomware is a special type of malicious software that locks your computer and demands some kind of payment, usually in the form of cryptocurrency. Usually there is pretty good instructions on how to make the payment. Usually the idea is that they will respond the key after you pay. It is in their best interest to send the key, because then they can't keep using the same exploit. In 2022 there was over 20 billion dollars worth of ransomware attacks. Normally there are 2 main components to it. The first is the delivery mechanism, and then the second is the encryption component, which recursively crawls the file system and individually encrypts each file. For our particular example we will focus on the actual ransomware as opposed to the delivery mechanism.

 

The first step is to download visual studio community for free and install.NET development. This absolutely needs to be done in a Virtual Machine and for this I downloaded Oracle VM and used a windows 10 ISO.

There are two parts to the ransomware. The first part is called the Encryptor which is used to lock up files. The Decryptor is used to unlock the files after payment has been received.

Custom Install > Unallocated Drive Space 0 > and turn off all the custom experiences. From my GitHub you can download the code for the Encryptor. I would put the file in a different folder that’s not the desktop since we will be encrypting the Desktop. I named that file "Safe_Folder" in the local C drive. Also, be sure to insert Guest Additions when making your VM.  

Also, since I'm making another new VM for this, you need to download Visual Studio Code.

 

Go into Window FormsApp1 in Encryptor and right click Encryptor.resx. Click properties and unblock, and apply an okay.  After that is unlocked, open the Encryptor solution.

Open the Encryptor POC and double click Encryptor.cs

Once you double click it, this is what the user would see once its ran.

In order to look at the code, go to View > Code F7

This is the only code that needs to be looked at to customize for your own needs.

 

DELETE ALL ORIGINALS TRUE means that once these files are encrypted, the original ones are deleted. The next three valuables is where you want to encrypt the files. ENCCRYPTED FILE EXTENSION, is appended to show that they are encrypted. Encryptor and Decryptor uses symmetric encryption. The next is the bitcoin address for the ransom. The email address is where you would email the transaction ID to the criminal.

 

 

In order to recover this, go back to the Safe Folder and open Decryptor POC.

These variables are the ones we care about. You would specify whether after the decryption process happens, you want to get rid of the decryption file. Where you want to run the decryption from, what type of file password and the actual password. This should match the encryption password.

 

The code will step through and decrypt everything and they are now recovered.

Previous

network security and python software engineer

Next

CS

Pages
PortfolioResume
Contact
Linkedinjelani.bobcombe@gmail.com
© 2023 All rights reserved.
Cookies Settings