Cypher – Pythonic ransomware proof of concept

Security awareness is among the important method to increase the security culture is any organization. Training your staff about the tools used by attacker will help in improving actions when users faced with malwares or attacks.

If you want to test and provide training around ransomware you can use Cypher. This is a proof of concept ransomware which implements the PyCrpto module and uses gmail as a simple command and control server.

Cypher operates by generating a unique client ID for each box that has been infected. The client ID and encryption key will be sent via email to a gmail adress by leveraging python’s SMTP lib. The new version of Cypher will give the operator the choice to pick between gmail and the C&C infrastructure that comes with the finished project, namely a web application to generate and store key pairs together with client IDs. If the operator chooses to employ the Cypher web app the ransomware will contact via HTTP by leveraging the Mechanize lib.

After Cypher has enumerated the files we wish to encrypt the multiprocessing and PyCrypto libs are employed to do the actual encrypting. Finally Cypher will write out a README note and the client ID which would have to be relayed to the operator in order to retrieve the proper decrypting binary and key respectively.

The latest version of the encryption module adds bootlocker functionality by attempting to overwrite the MBR with a custom bootloader.

You can download the latest version over here:

Notify of
Inline Feedbacks
View all comments