Since the user will become suspicious and either restart their computer into safe mode and delete it, or do all they can to kill the process. It's obvious.
I'm writing the readme file to the working directory of the executable in any case even before the encryption takes place. But I'm now doing the loop twice. At the first time I'm just encrypting the files and on the second time I'm writing the readme files in the directories. Additionally, I'm closing the task manager window (very) regularly.
Most botnet owners uses crypting to infect users. And if the victim doesn't have a AV, it most likely means they don't care if they get infected, hence they probably won't bother to pay. If they use anti-virus, they probably care for their files.
I always strive for FUD on VirusTotal. I know, that the AV versions on VirusTotal may not check for the same cases as a regular desktop version.
My "customers" can pack/crypt the executables as they want, as long as the execution isn't fileless (in-memory) for now. "GetModuleFileName" have to return a valid exe or dll, so GetBinaryType have to either success or fail and give the lastError ERROR_BAD_EXE_FORMAT.
Ignore persistence. Start-up as in, if they install new content, it encrypts it again on startup. Escalation so they can't kill off the process when they notice malware is running.
I didn't planned persistence (continuous running). I'm now writing it to the HKLM Run, if that fails to the HKCU Run. I'm now closing the task manager window (very) regularly.
Welcome to EZ, jeiphoos.
I love to help people out improving their software, I had never taken down any request like that in the past; but in this case helping you is in conflict with my job (and conscience too, but that's another topic).
I rate it highly that you ask the way you ask.
Thank you very much for your answer. I had and have quite many conflicting interests at my current and past positions. I guess, that I have to choose another occupation group.
I would probably take part in a discussion about what makes ransomware sophisticated.
Although you are right that it is not complex, there are still only very few ransomware families that get everything right.
See also http://www.eurecom.fr/en/publication/4548/download/rs-publi-4548.pdf
Such a discussion would be quite philosophic. I already clear the shadow volumes, I do the encryption in-place, I use RC6 and on the server-side I have random delays before and after the RSA decryption in order to confront time-based attacks on the key, so I guess that I'm good to go.
Thank you for the link.
Show Posts
