Not a member yet? Why not Sign up today
Create an account  

[Ransomware ] Windows Crypto Ransomware OpenSource - Go Programming


is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

[Image: sQ6nNj3.jpg]

This project aims to build an almost functional crypto-ransomware for educational purposes, written in Go. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-2048 to secure the key exchange with server. It is composed of two main parts, the server and the malware itself. The server is responsible for store the Id and the respective encryption key, received from the malware binary during execution. The malware encrypt with your RSA-2048 public key a payload containing the id/enckey generated on runtime, sending then to the server, where it is properly decrypted with the respective RSA private key, and then persisted for future usage.

Project tasks
  •     Run in Background (or not)
  •     Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file
  •     Without virus signature (at the moment)
  •     Use RSA-2048 to secure the comunication with server
  •     Stream encryption to avoid load an entire file into memory
  •     Link the tor library statically (It's already working on linux, any help with the cross compilation to windows will be appreciated) see feature/tor-link
  •     Docker image for the server and compilation


You need Go at least 1.7

go get -v
go get -v
cd $GOPATH/src/


Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files,
so, let’s leave make do your job

If you like build the server for windows from a unix machine, run

env GOOS=windows make

The malware will run in background. You can see what is going on by simply remove the

-ldflags="-H windowsgui"

from the ransomware section on Makefile before build
By default, the server will listen on


The client will use this host as the default url too.
You can put the server on any domain and start it. Simply overwrite the


constant on


before build and the malware will try to connect with this url instead



Feel free to run the commands specified on Makefile manually. A few things to known:

  •     RSA Keys protected with password is not supported
  •     The .syso file generated by rsrc must be in the same directory as ransomware.go during go build
  •     the keys must be filled correctly inside the []byte conversion, private on server and public on ransonware.go
After build, a binary called ransomware.exe, server/server.exe and unlocker.exe will be generated on the bin folder. The execution of ransomware.exe and unlocker.exe (even if it is compiled for linux/darwin) is locked to windows machines only.

Usage and How it Works

Feel free to edit the parameters across the files for testing. Put the binaries on a correct windows test environment, start the server by double click or run then on the terminal. It will wait for the malware contact and persist the id/encryption keys

When double click on ransomware.exe binary it will run on background, walking interesting directories and encrypting all files that match the interesting file extensions using AES-256-CTR and a random IV, recreating then with encrypted content and a custom extension(.encrypted by default) and create a READ_TO_DECRYPT.html file on desktop

In theory, for decrypt your files you need send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If your payment was confirmed, the attacker possibly will return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways.

Let's suppose you get your encryption key back, you can retrieve it pointing to the following url:

Quote:curl http://localhost:8080/api/keys/:id

Where :id is your identification stored on the file on desktop. After, run the unlocker.exe by double click and follow the instructions.

And that's it, got your files back Big Grin

Server endpoints

The server has only two endpoints:-

Quote:POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.

Quote:GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error
The end

More Info

Thanks bro

Thanks you so much !

Very Interesting..!! Got a new ideas from this Big Grin

(10-09-2016, 07:23 AM)inmygreed Wrote: Very Interesting..!! Got a new ideas from this Big Grin

Good... if you like share your idea's here...
you have programming skills ?
did you tried this ransomware ?

infected by ransomware few month ago with .vvv extension and after one month finally recover all files...but last month i lost many files with ransomware version i don't remember but .mp3 extension ...and don't find any solution yet Big Grin :-p

(10-22-2016, 11:44 AM)zainaz Wrote: infected by ransomware few month ago with .vvv extension and after one month finally recover all files...but last month i lost many files with ransomware version i don't remember but .mp3 extension ...and don't find any solution yet Big Grin :-p

its almost impossible to recover the files which are infected by ransomware, if the key is generated on run time, then its impossible to recover files.
but if the key is hard coded into the ransomware, then there are chances to recover it.

i recommend you to not download or open any untrusted files.

ya the last one is come from email

nice one there.........

Forum Jump:

Users browsing this thread: