Skip to content
/ Povlsomware Public

Extensionless Ransomware written in C#. Fully compatible with Cobalt Strikes "Execute-Assembly". Does not spread laterally, and thus make for an excellent Ransomware Proof of Concept and/or for testing AV Vendors claim of "Ransomware Protection".

1 star 19 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

4n6strider/Povlsomware

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
Povlsomware
Povlsomware
 
 
img
img
 
 
.gitignore
.gitignore
 
 
Povlsomware.sln
Povlsomware.sln
 
 
README.md
README.md
 
 

Repository files navigation

Povlsomware

Povlsomware is a Ransomware Proof-of-Concept created as a "secure" way to test anti-virus vendors claims of "Ransomware Protection". Povlsomware does not destroy the system nor does it have any way of spreading to any network-connected computer and/or removable devices.

alt text

How does it work?

Povlsomware works as a single exectuable, that when executed will perform the following steps:

  1. Povlsomware will go through the file system looking for personal files with certain extensions (i.e. jpeg, png, docx, txt, xls etc.) (This can be changed in program.cs).
  2. Files matching the list of extensions will be encrypted using AES256 with the password "blahblah" (This can be changed in program.cs).
  3. It will delete every shadowcopy on the affected system, if Povlsomware has been executed with Administrative rights.
  4. An edit is made to the registry, telling the system to run Povlsomware.exe again on startup. (This does not work when running through cobalt-strikes execute-assembly
  5. A "ransom pop-up UI" is shown informing the user, how many files have been encrypted. The pop-up also contains a password-field, which allows for decrypting the files.

Extensionless Ransomware

Many ransomware programs will encrypt files and change the original file extension to something like .Krab, .ppam, .trumphead. etc. The reason why most ransomware programs changes file extensions is so that they know which files to decrypt (if necessary). Povlsomware differs from most ransomware by keeping the original file extension. The files will thus look the same, however none of them will work as intended.

For a comprehensive list of ransomware extensions, see Comodos "Ransomware Extension List": https://enterprise.comodo.com/ransomware-extension-list.php.

Cobaltstrike integration

Povlsomware.exe can be executed in memory using Cobaltstrikes "Execute-Assembly" command. The screenshot below is an example of this:

alt text

Povlsomware.exe is not uploaded on the victim-PC, but is executed directly in memory.

More than that, Povlsomware is programmed to communicate back to the Cobaltstrike Teamserver, which files have been encrypted in the process. If the decryption password is entered, Povlsomware will communicate the decrypted files.

alt text

New feature

The password is now stored in a char[] instead of a string. Alt+tab and the Windows keys are now disabled when launched.

About

Extensionless Ransomware written in C#. Fully compatible with Cobalt Strikes "Execute-Assembly". Does not spread laterally, and thus make for an excellent Ransomware Proof of Concept and/or for testing AV Vendors claim of "Ransomware Protection".

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

19 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages