{"id":13539815,"url":"https://github.com/mauri870/ransomware","last_synced_at":"2026-01-14T19:13:46.297Z","repository":{"id":40589406,"uuid":"66937515","full_name":"mauri870/ransomware","owner":"mauri870","description":"A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB","archived":true,"fork":false,"pushed_at":"2018-11-17T14:27:59.000Z","size":3231,"stargazers_count":900,"open_issues_count":23,"forks_count":412,"subscribers_count":63,"default_branch":"master","last_synced_at":"2025-04-02T06:36:12.434Z","etag":null,"topics":["academic","crypto-ransomware","malware","ransomware"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mauri870.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-08-30T12:13:23.000Z","updated_at":"2025-04-01T07:50:55.000Z","dependencies_parsed_at":"2022-07-14T04:10:40.490Z","dependency_job_id":null,"html_url":"https://github.com/mauri870/ransomware","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mauri870/ransomware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauri870%2Fransomware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauri870%2Fransomware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauri870%2Fransomware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauri870%2Fransomware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mauri870","download_url":"https://codeload.github.com/mauri870/ransomware/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauri870%2Fransomware/sbom","scorecard":{"id":628428,"data":{"date":"2025-08-11","repo":{"name":"github.com/mauri870/ransomware","commit":"2afb82dc489693e25aa98c8626b8c9665f9072f0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.2,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating golang:latest to golang:latest@sha256:9e56f0d0f043a68bb8c47c819e47dc29f6e8f5129b8885bed9d43f058f7f3ed6","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 4 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"21 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2020-0017 / GHSA-w73w-5m7g-f7qc","Warn: Project is vulnerable to: GO-2021-0078 / GHSA-5p4h-3377-7w67","Warn: Project is vulnerable to: GO-2022-0193 / GHSA-fcf9-6fv2-fc5v","Warn: Project is vulnerable to: GO-2022-0192 / GHSA-2wp2-chmh-r934","Warn: Project is vulnerable to: GO-2022-0197 / GHSA-4r78-hx75-jjj2 / GHSA-mv93-wvcp-7m7r","Warn: Project is vulnerable to: GO-2020-0014 / GHSA-vfw5-hrgq-h5wf","Warn: Project is vulnerable to: GO-2022-0536 / GHSA-39qc-96h7-956f / GHSA-hgr8-6h9x-f7q9","Warn: Project is vulnerable to: GO-2022-0236 / GHSA-h86h-8ppg-mxmh","Warn: Project is vulnerable to: GO-2021-0238 / GHSA-83g2-8m93-v3w7","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-21T07:10:54.664Z","repository_id":40589406,"created_at":"2025-08-21T07:10:54.664Z","updated_at":"2025-08-21T07:10:54.664Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28431821,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["academic","crypto-ransomware","malware","ransomware"],"created_at":"2024-08-01T09:01:32.288Z","updated_at":"2026-01-14T19:13:46.270Z","avatar_url":"https://github.com/mauri870.png","language":"Go","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"d08b7bd562a4bf18275c63ffe7d8fc91\"\u003e\u003c/a\u003e勒索软件"],"readme":"# Ransomware\n\n[![Build Status](https://travis-ci.org/mauri870/ransomware.svg?branch=master)](https://travis-ci.org/mauri870/ransomware)\n\n\u003e Note 1: This project is purely academic, use at your own risk. I do not encourage in any way the use of this software illegally or to attack targets without their previous authorization.\n\n\u003e Note 2: Unfortunatelly now some antiviruses (including Windows Defender) detects the unlocker as a virus. Disable any antivirus to play with the project.\n\n**Remember, security is always a double-edged sword**\n\nDemo video (Old version, without Tor support):\n\n[![DEMO](https://img.youtube.com/vi/qyyV1dgRgiY/0.jpg)](https://youtu.be/qyyV1dgRgiY)\n\n### What is Ransomware?\n\nRansomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.\n\n### Project Summary\n\nThis project was developed for the Computer Security course at my academic degree. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-4096 to secure the exchange with the server, optionally using the Tor SOCKS5 Proxy. The base functionality is what you see in the famous ransomware Cryptolocker.\n\nThe project is composed by three parts, the server, the malware and the unlocker.\n\nThe server store the victim's identification key along with the encryption key used by the malware.\n\nThe malware encrypt with a RSA-4096 (RSA-OAEP-4096 + SHA256) public key any payload before send then to the server. This approach with the optional Tor Proxy and a `.onion` domain allow you to hide almost completely your server.\n\n### Features\n\n- Run in Background (or not)\n- Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.\n- Multithreaded.\n- RSA-4096 to secure the client/server communication.\n- Includes an Unlocker.\n- Optional TOR Proxy support.\n- Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.\n- Walk all drives by default.\n- Docker image for compilation.\n\n### Building the binaries\n\n\u003e DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!\n\nFirst of all download the project outside your $GOPATH:\n\n```bash\ngit clone github.com/mauri870/ransomware\ncd ransomware\n```\n\n\u003e If you have Docker skip to the next section.\n\nYou need Go at least 1.11.2 with the `$GOPATH/bin` in your $PATH and `$GOROOT` pointing to your Go installation folder. For me:\n\n```bash\nexport GOPATH=~/gopath\nexport PATH=$PATH:$GOPATH/bin\nexport GOROOT=/usr/local/go\n```\n\nBuild the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave `make` do your job:\n\n```bash\nmake deps\nmake\n```\n\nYou can build the server for windows with `make -e GOOS=windows`.\n\n#### Docker\n\n```bash\n./build-docker.sh make\n```\n\n#### Config Parameters\n\nYou can change some of the configs during compilation. Instead of run only `make`, you can use the following variables:\n\n```bash\nHIDDEN='-H windowsgui' # optional. If present the malware will run in background\n\nUSE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server\n\nSERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware\n\nSERVER_PORT=8080 # the server port, if using a domain you can set this to 80\n\nGOOS=linux # the target os to compile the server. Eg: darwin, linux, windows\n```\n\nExample:\n\n`make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin`\n\nThe `SERVER_` variables above only apply to the malware. The server has a flag `--port` that you can use to change the port that it will listen on.\n\n\u003e DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!\n\n## Step by Step Demo and How it Works\n\nFor this demo I'll use two machines, my personal linux machine and a windows 10 VM.\n\nFor the sake of simplicity, I have a folder mapped to the VM, so I can compile from my linux and copy to the vm.\n\nIn this demo we will use the [Ngrok](https://ngrok.com) tool, this will allow us to expose our server using a domain, but you can use your own domain or ip address if you want. We are also going to enable the Tor transport, so `.onion` domains will work without problems.\n\nFirst of all lets start our external domain:\n\n```bash\nngrok http 8080\n```\n\nThis command will give us a url like ` http://2af7161c.ngrok.io`. Keep this command running otherwise the malware won't reach our server.\n\nLet's compile the binaries (remember to replace the domain):\n\n```bash\nmake -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true\n```\n\nThe `SERVER_PORT` needs to be `80` in this case, since ngrok redirects `2af7161c.ngrok.io:80` to your local server port `8080`.\n\nAfter build, a binary called `ransomware.exe`, and `unlocker.exe` along with a folder called `server` will be generated in the bin folder. The execution of `ransomware.exe` and `unlocker.exe` (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.\n\nEnter the server directory from another terminal and start it:\n\n```bash\ncd bin/server \u0026\u0026 ./server --port 8080\n```\n\nTo make sure that all is working correctly, make a http request to `http://2af7161c.ngrok.io`:\n\n```bash\ncurl http://2af7161c.ngrok.io\n```\n\nIf you see a `OK` and some logs in the server output you are ready to go.\n\nNow move the `ransomware.exe` and `unlocker.exe` to the VM along with some dummy files to test the malware. You can take a look at [cmd/common.go](https://github.com/mauri870/ransomware/blob/master/cmd/common.go) to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.\n\nThen simply run the `ransomware.exe` and see the magic happens :smile:.\n\nThe window that you see can be hidden using the `HIDDEN` option described in the compilation section.\n\nAfter download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone.\n\nThe encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called [IV](https://en.wikipedia.org/wiki/Initialization_vector), generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact.\n\nThe only two sources of information available about what just happen are the `READ_TO_DECRYPT.html` and `FILES_ENCRYPTED.html` in the Desktop.\n\nIn theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the `unlocker.exe` and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.\n\nLet's suppose you get your encryption key back. To recover the correct key point to the following url:\n\n```bash\ncurl -k http://2af7161c.ngrok.io/api/keys/:id\n```\n\nWhere `:id` is your identification stored in the file on desktop. After, run the `unlocker.exe` by double click and follow the instructions.\n\nThat's it, got your files back :smile:\n\nThe server has only two endpoints:\n\n`POST api/keys/add` - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.\n\n`GET api/keys/:id` - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error\n\n## The end\n\nAs you can see, building a functional ransomware, with some of the best existing algorithms is not dificult, anyone with some programming skills can build that in any programming language.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmauri870%2Fransomware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmauri870%2Fransomware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmauri870%2Fransomware/lists"}