Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/m3str3/ransomware
A realistic ransomware simulation built with Rust and Reactβcovering malware creation, data exfiltration, and a reactive blog. For educational purposes only
https://github.com/m3str3/ransomware
malware ransomware rust
Last synced: 3 days ago
JSON representation
A realistic ransomware simulation built with Rust and Reactβcovering malware creation, data exfiltration, and a reactive blog. For educational purposes only
- Host: GitHub
- URL: https://github.com/m3str3/ransomware
- Owner: M3str3
- Created: 2025-02-17T17:17:33.000Z (3 days ago)
- Default Branch: main
- Last Pushed: 2025-02-17T17:18:52.000Z (3 days ago)
- Last Synced: 2025-02-17T17:40:58.094Z (3 days ago)
- Topics: malware, ransomware, rust
- Language: Rust
- Homepage:
- Size: 0 Bytes
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Ransomware
## π Overview
This project simulates a ransomware operation, covering infection, encryption, exfiltration, and centralized control. It includes multiple components:
* **RustLock (Rust ransomware)**: The main ransomware payload, responsible for encrypting user data and exfiltrating it to the relay server over FTP.
* **Server/ClearService (C2 #1 - Relay Server)**: The first-hop server that temporarily stores the encrypted files in waiting to be downloaded for C2#2. The idea behind having a relay server is to be able to exfiltrate data over the clearnet (faster than TOR). It also allows to have a custom configuration like 0 logs or wipe systems in case of logins.
* **Server/HiddenService (C2 #2 - Central Server)**: The main TOR server scans multiple relay servers waiting for a new record, then downloads the data. It also serves a ransomware website via TOR.
```
ransomware/
βββ README.md <--------------------- You are here :)!
β
βββ RustLock/ $ Ransomware Locker & Unlocker (Rust)
β β # ====================================
β βββ build.rs - Build script
β βββ compile.py - Compile script (recommended)
β βββ .gitignore
β βββ keys/ - RSA Keys for locker and unlocker
β βββ src/
β β βββ antireversing.rs - Anti-debugging & obfuscation techniques
β β βββ config.rs - Configurations
β β βββ lib.rs - Shared library
β β βββ locker.rs - Locker entry point
β β βββ unlocker.rs - Unlocker entry point
β β βββ cypher/ - Encryption components for locker
β β βββ decypher/ - Decryption components for unlocker
β βββ README.md - Documentation for RustLock module
β
βββ server/ Command & Control (C2) Servers
β
βββ ClearService/ $ Public C2 (C2 #1) - Relay server
β β # ====================================
β βββ Dockerfile - Docker for quick deployment
β βββ api.py - API to serve encrypted data to C2#2
β βββ install.sh - Installation script
β βββ README.md - Documentation for ClearService
β
βββ HiddenService/ # Hidden C2 (C2 #2) - Central server
β # ====================================
βββ install.sh - Installation script
βββ backend/ - Backend (Flask/Django API for ransom blog)
β βββ api.py - API that manages ransom operations
β βββ README.md - Backend documentation
β
βββ conf/ - Configuration files
β βββ key.bin - Private key for .onion service
β βββ torrc - Tor service configuration (if applicable)
β βββ etc... - Other configuration files
β
βββ frontend/ - Ransom blog (React app)
β βββ src/ - React source code
β βββ public/ - Static assets
β βββ package.json - Dependencies
β βββ README.md - Frontend documentation
β
βββ README.md - General documentation for HiddenService
```
# Exfiltration architecture
The ransomware follows this multi-stage attack pattern:
```mermaid
graph TD;
A[Infected User]
R[locker.exe]
subgraph Victim
A --> R
end
subgraph C2#1 - Relay Infrastructure
B[C2#1 - Relay Server]
end
subgraph C2#2 - Central Infrastructure
C[C2#2 - Central Server]
D[C2#2 - Web Interface ransom blog]
end
R -->|"Exfiltrates Encrypted Data over FTP"| B
B <-->|"Retrieves Data with API KEY"| C;
C -->|"Feeds"| D;
```
## πΉ Step-by-step Execution Flow:
### 1. Infection (RustLocker)
* locker.exe is executed on the victimβs machine.
* It scans the filesystem and encrypts all relevant files using AES key that has been generated on execution time.
* It encrypts the Key with a public RSA then encode it in base64.
* It send the encrypted data and key to C2#1 over FTP
### 2. Exfiltration (C2#1)
* The victim encrypted data is sent to C2#1 (Relay Server) over FTP.
* C2#1 generates a unique entry for the data
* This server has 0 log policy (not really implemented on the example)
* Implements a password to download the encrypted data about the victims
### 3. Ransom Blog Updates (C2#2)
* Periodically, the backend services ask for all the C2#1 (can be multiple) for encrypted data and keys.
* The victimβs data appears on the ransom blog (hosted by C2#2).
* This server now has the key (AES+RSA) encode in base64 that can use for unencrypt the data
# π Encryption Details
## The key cycle looks like
```mermaid
sequenceDiagram
participant Ransomware as Ransomware (Infected Machine)
participant AES as AES-256 Key (Generated)
participant RSA as RSA-4096 Public Key (Embedded)
participant C2
Ransomware->>AES: Generate AES key in memory
Ransomware->>Ransomware: Encrypt files with AES key
Ransomware->>RSA: Encrypt AES key using RSA public key
Ransomware->>C2: Upload encrypted AES key & file metadata
```
* **AES** the key is generated on execution. As its faster than RSA, it is used for encryption.
* **RSA** after encryption, AES key is encrypted with public RSA, so only the person who has the private key can recover the original key.
# π‘οΈ Anti-Analysis & Evasion Techniques
To resist forensic analysis, RustLock implements basic methods like:
* **Environment Checks**: Detects sandboxes, virtual machines, and debuggers.