A project for my first information security class, A.C.B. is a ransomware agent and control server. Agents connect to the control server to retrieve a GUID and an encryption key. This key is used to encrypt all the files on the target system--violating accessibility and integrity---and the GUID is written to a file notifying the user of the breach. To decrypt the files, the user must contact the attacker for the decryption key which can be retrieved from the database using the GUID.
Smaller files are uploaded to the control server before being encrypted, violating confidentiality.
This is a proof of concept for a class, it should NOT be used for real attacks. Windows Defender will easily stop this attack, anyways.
Other drawbacks include:
- Single-threaded operation
- Requires connection to control server
- Waits for a file to be uploaded before encrypting and/or uploading the next file
- Only Windows 10 has been tested to work
Other components
Key injector
Disguised as a flash drive, on insertion this device would open a command prompt window, download the payload from the remote web server, and execute it with full admin privileges. (A.C.B. is set to run in the foreground, but it's pretty easy to hide the windows...if you're wearing a dark hat.)
Web server
To take advantage of ASP.NET support for automatic serialization, I stuck with an ASP.NET-hosted application on the default Kestrel server. I used some student credit to spin up an Azure VM with minimal specs. After some basic server config, I simply built the project with the dotnet command and ran the application on port 80. Traffic was transmitted in plain HTTP, but nothing is stopping it from being run on HTTPS with self-signed certs which would allow you to hide the contents of the traffic.
Demonstration
I created an administrative user on my personal Windows machine and disabled Windows Defender, since I knew it would block it the process. I inserted the key injector to begin the attack. The class could see the command prompt window moving quickly but could not make out the details, so I described what the application was doing and alternated between the command window and the PuTTy window used to connect to the server. There I showed the database filling up with smaller documents. In short, none of my classmates or friends allow me to plug a single thing into their machines.
Project type: Client console application, Web server
Written in: C#
Dependencies: .NET Core 2.1; a MariaDB/MySQL server
My role: Pay the bills
Link: View on GitLab