{"id":25449755,"url":"https://github.com/m3str3/ransomware","last_synced_at":"2025-05-16T09:07:58.063Z","repository":{"id":278041449,"uuid":"934347568","full_name":"M3str3/Ransomware","owner":"M3str3","description":"A realistic ransomware simulation built with Rust and React—covering malware creation, data exfiltration, and a reactive blog. For educational purposes only","archived":false,"fork":false,"pushed_at":"2025-03-02T12:44:31.000Z","size":292,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-16T09:07:22.130Z","etag":null,"topics":["malware","ransomware","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/M3str3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-17T17:17:33.000Z","updated_at":"2025-03-17T08:17:18.000Z","dependencies_parsed_at":"2025-02-17T17:41:07.102Z","dependency_job_id":"20c14cb7-1251-4b7e-8204-5f38e6c7c3e9","html_url":"https://github.com/M3str3/Ransomware","commit_stats":null,"previous_names":["m3str3/ransomware"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3str3%2FRansomware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3str3%2FRansomware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3str3%2FRansomware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3str3%2FRansomware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/M3str3","download_url":"https://codeload.github.com/M3str3/Ransomware/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254501547,"owners_count":22081529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","ransomware","rust"],"created_at":"2025-02-17T21:18:06.774Z","updated_at":"2025-05-16T09:07:57.512Z","avatar_url":"https://github.com/M3str3.png","language":"Rust","readme":"# Ransomware \n\n## 📌 Overview\nThis project simulates a ransomware operation, covering infection, encryption, exfiltration, and centralized control. It includes multiple components:\n\n* **RustLock (Rust ransomware)**: The main ransomware payload, responsible for encrypting user data and exfiltrating it to the relay server over FTP.\n* **Server/ClearService (C2 #1 - Relay Server)**: The first-hop server that temporarily stores the encrypted files in waiting to be downloaded for C2#2. The idea behind having a relay server is to be able to exfiltrate data over the clearnet (faster than TOR). It also allows to have a custom configuration like 0 logs or wipe systems in case of logins.\n* **Server/HiddenService (C2 #2 - Central Server)**: The main TOR server scans multiple relay servers waiting for a new record, then downloads the data. It also serves a ransomware website via TOR.\n\n```\nransomware/\n├── README.md \u003c--------------------- You are here :)!\n│\n├── RustLock/                       $ Ransomware Locker \u0026 Unlocker (Rust)\n│   │                               # ====================================\n│   ├── build.rs                     - Build script \n│   ├── compile.py                   - Compile script (recommended)\n│   ├── .gitignore\n│   ├── keys/                        - RSA Keys for locker and unlocker\n│   ├── src/\n│   │   ├── antireversing.rs         - Anti-debugging \u0026 obfuscation techniques\n│   │   ├── config.rs                - Configurations\n│   │   ├── lib.rs                   - Shared library\n│   │   ├── locker.rs                - Locker entry point\n│   │   ├── unlocker.rs              - Unlocker entry point\n│   │   ├── cypher/                  - Encryption components for locker\n│   │   └── decypher/                - Decryption components for unlocker\n│   └── README.md                    - Documentation for RustLock module\n│\n└── server/                        Command \u0026 Control (C2) Servers\n    │                               \n    ├── ClearService/              $ Public C2 (C2 #1) - Relay server\n    │   │                          # ====================================\n    │   ├── Dockerfile              - Docker for quick deployment\n    │   ├── api.py                  - API to serve encrypted data to C2#2\n    │   ├── install.sh              - Installation script\n    │   └── README.md               - Documentation for ClearService\n    │\n    └── HiddenService/             # Hidden C2 (C2 #2) - Central server\n        │                          # ====================================\n        ├── install.sh              - Installation script\n        ├── backend/                - Backend (Flask/Django API for ransom blog)\n        │   ├── api.py              - API that manages ransom operations\n        │   └── README.md           - Backend documentation\n        │\n        ├── conf/                   - Configuration files\n        │   ├── key.bin             - Private key for .onion service\n        │   ├── torrc               - Tor service configuration (if applicable)\n        │   └── etc...              - Other configuration files\n        │\n        ├── frontend/               - Ransom blog (React app)\n        │   ├── src/                - React source code\n        │   ├── public/             - Static assets\n        │   ├── package.json        - Dependencies\n        │   └── README.md           - Frontend documentation\n        │\n        └── README.md               - General documentation for HiddenService\n```\n\n\n# Exfiltration architecture\n\nThe ransomware follows this multi-stage attack pattern:\n\n```mermaid\ngraph TD;\n    A[Infected User] \n    R[locker.exe]\n\n    subgraph Victim\n         A --\u003e R \n    end\n\n    subgraph C2#1 - Relay Infrastructure\n        B[C2#1 - Relay Server]\n    end\n\n    subgraph C2#2 - Central Infrastructure\n        C[C2#2 - Central Server]\n        D[C2#2 - Web Interface ransom blog]\n    end\n    R --\u003e|\"Exfiltrates Encrypted Data over FTP\"| B\n    B \u003c--\u003e|\"Retrieves Data with API KEY\"| C;\n    C --\u003e|\"Feeds\"| D;\n\n```\n\n\n## 🔹 Step-by-step Execution Flow:\n\n### 1. Infection (RustLocker)\n* locker.exe is executed on the victim’s machine.\n* It scans the filesystem and encrypts all relevant files using AES key that has been generated on execution time.\n* It encrypts the Key with a public RSA then encode it in base64.\n* It send the encrypted data and key to C2#1 over FTP\n\n### 2. Exfiltration (C2#1)\n* The victim encrypted data is sent to C2#1 (Relay Server) over FTP.\n* C2#1 generates a unique entry for the data \n* This server has 0 log policy (not really implemented on the example)\n* Implements a password to download the encrypted data about the victims\n\n### 3. Ransom Blog Updates (C2#2)\n* Periodically, the backend services ask for all the C2#1 (can be multiple) for encrypted data and keys.\n* The victim’s data appears on the ransom blog (hosted by C2#2).\n* This server now has the key (AES+RSA) encode in base64 that can use for unencrypt the data\n\n# 🔐 Encryption Details\n## The key cycle looks like\n```mermaid\nsequenceDiagram\n    participant Ransomware as Ransomware (Infected Machine)\n    participant AES as AES-256 Key (Generated)\n    participant RSA as RSA-4096 Public Key (Embedded)\n    participant C2\n\n    Ransomware-\u003e\u003eAES: Generate AES key in memory\n    Ransomware-\u003e\u003eRansomware: Encrypt files with AES key\n    Ransomware-\u003e\u003eRSA: Encrypt AES key using RSA public key\n    Ransomware-\u003e\u003eC2: Upload encrypted AES key \u0026 file metadata\n```\n* **AES** the key is generated on execution. As its faster than RSA, it is used for encryption.\n* **RSA** after encryption, AES key is encrypted with public RSA, so only the person who has the private key can recover the original key.\n\n# 🛡️ Anti-Analysis \u0026 Evasion Techniques\nTo resist forensic analysis, RustLock implements basic methods like:\n\n* **Environment Checks**: Detects sandboxes, virtual machines, and debuggers.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3str3%2Fransomware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm3str3%2Fransomware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3str3%2Fransomware/lists"}