/Simple-Python-Ransomware

Simple Python Ransomware is a simple implementation of a ransomware in Python.

Primary LanguagePythonMIT LicenseMIT

WARNING: This program can damage your files! My recommendation is to read the guides and only run it on a virtual machine at your own risk. I cannot be hold responsible for any file damage due to running this program on any machine.

Simple Python Ransomware

Generic badge

According to McAffe:

Ransomware is malware that employs encryption to hold a victim's information at ransom.

Simple Python Ransomware is a simple tool built in Python that does exactly that, in under 100 lines of code. This highlights both the power of Python, but also the the ease of building such a virus.

Prerequisites

Simple Python Ransomware is build in under 100 lines of code, mostly thanks to packages Cryptography (pip install cryptography) && python-dotenv, but also other packages (argparse, getpass, os, pathlib, smtplib, platform, email).

Before you begin, ensure you have met the following requirements:

Installing Simple Python Ransomware

To install Simple Python Ransomware, follow these steps:

git clone git@github.com:mihneamanolache/Simple-Python-Ransomware.git && cd Simple-Python-Ransomware
pip3 install -r requirements.txt

Using Simple Python Ransomware

Simple Python Ransomware is used both to encrypt and to decrypt files. Before running the script, head over to the .env file and update the following lines using your own information:

gmail_account='<YOUR_GMAIL_ADDRESS>'
gmail_password='<YOUR_GMAIL_PASSWORD>'

Ecryption Mode

After saving the file, you can run the script in the encryption mode by typing:

python3 ransomware.py --directory <DIRECTORY_NAME> [optional] --backup [optional]

Where:

  • --directory or -d takes as an parameter a string, which is the Location / Folder you are targeting (ie. Desktop, Downloads etc.). If letft blank, Simple Python Ransomware will automatically target the Desktop. For specific subirectories, specify the main directory first (ie. python3 ransomware.py --d Downloads/Subdirectory ).

  • --backup or -b doesn't take any parameter and is used to bypass the deletion of the cryptographic key from the system. If used, the key will be stored in the same directory as ransomware.py

ATTENTION! The program will encrypt ALL files in thetargeted directory and its subdirectories. The encryption key is set to delete after the script completes! This can lead to poossible file damage or loss. USE AT YOUR OWN RISK!

If successful, the script will: :ballot_box_with_check: Encrypt all the files :ballot_box_with_check: Send an email with the cryptoghraphic key to your gmail account.

Decryption Mode

In order to decrypt the files encrypted before, all you need to do is to pass the cryptographic key as a string to the program, as follows:

python3 ransomware.py --key <YOUR_CRYPTOGHRAPHIC_KEY>

You can retriev the cryptographic key either from the email sent before, or from the cryptographic_key.key file, if you used the --backup argument.

ATTENTION! The directory should be also specified using the -d argument, provided that it was used to encrypt files in directories other that Desktop.

[========]

IMPORTANT: This tool is only for testing and academic purposes and can be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and am not responsible for any misuse or damage caused by this tool and software in general.

[========]

Screenshots

The 'Downloads' folder before the encryption

before_encryption

Running encryption on Downloads:
python3 ransomware.py -d Downloads  

Email received by attacker: email_received

Files encrypted on all levels under 'Downloads': after_encryption

Running decryption on Downloads:
python3 ransomware.py --key 70ZAg0MsYFtoXckQa-T1mydyZja3zdKJaOj8pZr8ypE= -d Downloads

[ ! ] Note that the key is the same one received in the email. In a real world scenario, the attacker would have to deliver the key to the victim in order to decrypt the files.

Files decrypted on all levels under 'Downloads': before_encryption