search

mauri870 / ransomware

A POC Windows crypto-ransomware (Academic). Now Ransom:Win32/MauriCrypt.MK!MTB
857 stars 413 forks source link

Custom Paths and Extensions #8

Closed justuandme closed 7 years ago

justuandme commented 7 years ago

where can i define custom extensions and custom paths ? i have tried this in win 7 vm. it encrypts some csv files on c and pictures on c drive. but it didn't create any html file on desktop.

mauri870 commented 7 years ago

You can enable the console mode to see the log information. For that remove the -H windowsgui from te go build command on Makefile before build.

Note: Update the project with go get -u github.com/mauri870/ransomware at least once a day

Custom paths and extensions can be specified on this file

It can take a while depending on the amount of files that you have because are only 2 workers encrypting files in parallel by default

Please update the project and if not work again, enable the log and post it here.

Thanks for your report, cheers

justuandme commented 7 years ago

i just downloaded this today. let me configure and run another test from scratch. i will post details here soon.

PS : how to make the ransomware.exe work on 32 bit windows ?

justuandme commented 7 years ago

how to make the ransomware.exe work on 32 bit windows ? its showing error on running x86 32bit win7 VM.

mauri870 commented 7 years ago

Oh, good question. I've missed that

I will open a PR to compile for x86 by default. For now you can use env GOOS=windows GOARCH=386 make

justuandme commented 7 years ago

ok now the files are encrypted on windows and on server side it sends these keys. in database.db file.

*3
$3
set
$32
98384e2dd004a01801ccec1fd11f2f11
$32
338acca6e104d8b52ac5886d34271c67

On desktop HTML.

YOUR IDENTIFICATION IS
98384e2dd004a01801ccec1fd11f2f11

on server side logs.

[negroni] Started POST /api/keys/add
[negroni] Completed 204 No Content in 14.478254ms

now which key is use to unlock the files ? after running unlocker.

justuandme commented 7 years ago

Alright i used this key to decrypt it : 338acca6e104d8b52ac5886d34271c67 and it works... contents are decrypted now. nice program.... but one question. what are these number ? 

*3
$3
set
$32
mauri870 commented 7 years ago

You can get your encryption key pointing to http://server-address/api/keys/:id, where :id is your identification key stored on the file on desktop

I use buntdb for store the keys, so this numbers must be referent to db indexes I guess

justuandme commented 7 years ago

Alright great ! thanks