For educational purposes only, samples of ransomware/wiper trojans including screenshots/ransom-notes.

Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Project Summary This project was developed for the Computer Security course at my academic degree. Basically, it will encrypt your files in background using AES-256-CTR, a strong encryption algorithm, using RSA-4096 to secure the exchange with the server, optionally using the Tor SOCKS5 Proxy. The base functionality is what you see in the famous ransomware Cryptolocker. The project is composed by three parts, the server, the malware and the unlocker. The server store the victim's identification key along with the encryption key used by the malware. The malware encrypt with a RSA-4096 (RSA-OAEP-4096 + SHA256) public key any payload before send then to the server. This approach with the optional Tor Proxy and a .onion domain allow you to hide almost completely your server. Features Run in Background (or not) Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file. Multithreaded. RSA-4096 to secure the client/server communication. Includes an Unlocker. Optional TOR Proxy support. Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory. Walk all drives by default. Docker image for compilation. Building the binaries DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks! First of all download the project outside your $GOPATH: git clone github.com/mauri870/ransomware cd ransomware If you have Docker skip to the next section. You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me: export GOPATH=~/gopath export PATH=$PATH:$GOPATH/bin export GOROOT=/usr/local/go Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job: make deps make You can build the server for windows with make -e GOOS=windows. Docker ./build-docker.sh make Config Parameters You can change some of the configs during compilation. Instead of run only make, you can use the following variables: HIDDEN='-H windowsgui' # optional. If present the malware will run in background USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware SERVER_PORT=8080 # the server port, if using a domain you can set this to 80 GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows Example: make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin The SERVER_ variables above only apply to the malware. The server has a flag --port that you can use to change the port that it will listen on. DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks! Step by Step Demo and How it Works For this demo I'll use two machines, my personal linux machine and a windows 10 VM. For the sake of simplicity, I have a folder mapped to the VM, so I can compile from my linux and copy to the vm. In this demo we will use the Ngrok tool, this will allow us to expose our server using a domain, but you can use your own domain or ip address if you want. We are also going to enable the Tor transport, so .onion domains will work without problems. First of all lets start our external domain: ngrok http 8080 This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server. Let's compile the binaries (remember to replace the domain): make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080. After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only. Enter the server directory from another terminal and start it: cd bin/server && ./server --port 8080 To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io: curl http://2af7161c.ngrok.io If you see a OK and some logs in the server output you are ready to go. Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others. Then simply run the ransomware.exe and see the magic happens 😄. The window that you see can be hidden using the HIDDEN option described in the compilation section. After download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone. The encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called IV, generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact. The only two sources of information available about what just happen are the READ_TO_DECRYPT.html and FILES_ENCRYPTED.html in the Desktop. In theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons. Let's suppose you get your encryption key back. To recover the correct key point to the following url: curl -k http://2af7161c.ngrok.io/api/keys/:id Where :id is your identification stored in the file on desktop. After, run the unlocker.exe by double click and follow the instructions. That's it, got your files back 😄 The server has only two endpoints: POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error. GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error The end As you can see, building a functional ransomware, with some of the best existing algorithms is not difficult, anyone with some programming skills can build that in any programming language.

This is my ransomwares and malwares:Elif,FakeZoom,Beygir,000DanteMuhabbetKusu.

The Ultimate Ransomware Collection – a curated, ever-growing archive of real-world ransomware samples collected from active campaigns, dark web leaks, honeypots, and malware telemetry.

#ZIICO RANSOMWARE Beginner Ransomware program for Security Testing # About Ziico Ziico encrypts all of your documents, photos, videos, music, specific database and other important files hence rendering innaccesibility to the encrypted category. Therefore, to reaccess these encrypted files, a decryption key is required. Files that could be encrypted can vary and in most cases there is no turning back once executed. This ransomware is for study purpose and is meant to encrypt a few of your files to test whether your system security is just fine. Ziico Ransomware is built using C# thus easily embedded. There is a preety more advance version of this program which is Fully Undetectable and because of this, i cannot upload it for certain reasons. This particular program follows an AES-256,AES-128 and a SHA256 Encryption. I believe thats preety strong and has proven to bypass four anti virus programs. # Cryptography details -encrypted via AES-256 -AES key generated manually -AES key is encrypted by RSA-2048 (windows RSA implementation) The filetypes to be encrypted: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, # Decryption Process key Decrypting Victims File => open ziico.sln and create the .exe file => get the SystemId from your victims through emails, prefearble a proxy chained one. => download the Decryption key => reply your victims with Decryption Tool and Passsword File # DISCLAIMER Do not attempt to tempt the law with anything contained here. Ths tool is for educational and research purposes. I will not be responsible for any illegal action executed. You shall not use this tool to harm a victim or execute the ransomare on a computer without the users permission however,you can try tool implementation on your personal computer, but at your own risk. If proven by law, this is a punishable act. # Future Development Incase of need to further the program, Contact me.

A simple mongodb ransomware tool that demonstration of my experience of being attack by this kind of ransomeware and expertise in the field of data security and database management.

In healthcare sector where the expenses of a treatment or the cost of a more advanced surgical instrument or machine are skyrocketing, the only thing cheap is – storing the medical histories of patients’ on electronic health records (EHRs) in the Cloud. When doctors are able to use Internet of Things for research and peer-reviewed studies, they can perform better. Diseases can be cured and prevented with facts and remedies from around the world. Telemedicine technologies can be used to provide critical medical care to people in rural and remote areas. Such digital advancements are taking the healthcare industry into the future. However, these opportunities come with a significant security risk. In order to improve the cardiac monitoring of a patient, a lot of new medical devices can be installed, but they bring along the risk of new entry points for cyber criminals. According to the 2017 KPMG/Forbes Insights Cyber-Security Survey, 55% organizations have seen an employee falling prey to phishing scam and 34% have seen theft from secured database by internal bad actor. Cyber and privacy breaches bring along the risk of loss of digital assets and also cause irreparable damage to the reputation of the organization. Patient data will always remain a critical asset in the healthcare industry. However, cyber criminals are in the want of stealing this protected health information (PHI). The value of medical data is ten times more than that of financial data in the black market of dark web. In the last two years, 47% of healthcare organizations have had a security breach related to HIPAA. Sensor-based wireless devices have proven to be a boon as well as a bane for the healthcare industry. Wireless devices allow efficient communication and seamless patient management. But they also act as an entryway into the network of the hospital. For cyber criminals this is an easy way to access sensitive information from the hospital’s networks. Continuous technology assessments are critical to cyber security. It is imperative that healthcare organizations address all the vulnerabilities before integrating new technologies. Awareness about the potential attacks is of utmost importance. ACS Guaranty’s Cyber-Security Solutions assist critical infrastructure organizations altering their security and privacy controls into business-enabling platforms. ACS, a Guaranteed Secured Centre safeguards IT networks and secures critical data from any cyber-attack. The company covers all the needs from pre- to post-breach in terms of cyber security. Solutions include threat intelligence, cyber forensics, and other cyber risk services. Most common methods of attack are malware (72%), ransomware (32%) and internal theft (47%). Sharing data with third parties is on the top of perceived vulnerabilities list with 63% organizations complaining about it. Other vulnerabilities on the list include internet devices not controlled by IT (59%), external attackers (50%), and employee breaches (27%). Hence, a balanced cyber security program is required. Healthcare organizations must implement advanced cyber security solutions, and should train and aware their staff regularly about the potential risks. Organizations ignoring this risk are vulnerable to incalculable damage to their reputation as well as their finances.

Here's a database of malware (viruses, trojans, ransomware,...).

Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access.

Information about ransomware, mitigation/prevention, advice, and more.

This database contain malware, like trojan and ransomware

Monitoring any kind of cyber attack on Indian cyberspace like ransomware, website hacks, defacements, databases, and steller logs

RansomwareElite is an android application which detects the presence of ransomware in the apps installed on an android device by checking the presence of any threatening text in app code or by verifying the permissions requested by the app from the user. In this paper, we focused on improving the performance of RansomwareElite app by extending its features. Now, the RansomwareElite app also searches the presence of any threatening image or file containing threatening text by analyzing the Android Package Kit(APK) file of android app. Moreover, it also detects some specific methods and classes in the code of the APK which could be used for locking the device and checks some specific permissions requested, for uninstalled apps now. Further, it maintains a database on the online server for the records of all the suspicious and ransomware apps detected by RansomwareElite. We have tested RansomwareElite with 9 Test Apps which are manually created based on the features of ransomware family and on 48 android devices. After analyzing the test results, we have found that the performance of RansomwareElite is improved after incorporating the new features and RansomwareElite app detects the presence of ransomware in installed as well as uninstalled apps present on an android’s device in an efficient manner.

A script that compares known ransomware IPs to a geolocation database

A Signature-Based Ransomware Detection System is a cybersecurity mechanism designed to identify and block ransomware threats by matching them against a database of known malicious signatures.

I tried to reproduce the whole process of LockBit ransomware, including the front end phishing pages, ransomware, and the back end API interface, worm spread, database, and so on. At the same time, the attack version of both Windows and Linux systems is implemented, but due to the limitation of public information .

Monitoring dark web forums, onion sites, Telegram/Discord groups (through APIs / scrapers). Collects posts/listings like: New ransomware families Phishing kits for sale Leaked databases (emails, credit cards, health records) Malware tools and exploits .

Corruption Isolation Engine (CIE) - a Python/C++ tool that detects, isolates, and quarantines corrupted files from directories and databases using advanced algorithms, format-specific validation, and ransomware detection with both GUI and CLI interfaces.

Lots of Ransomware, be carefull

Database Model to check ransomware hits

Database project based on Kettering Health ransomware ERD, implementing six complex SQL queries with Python Flask backend and simple HTML/JS frontend. Features include multi-joins, window functions, conditional aggregation, and secure parameterized queries with CSV export and date filtering.

C:\Program Files (x86)\ManageEngine\UEMS_Agent\EDR\Anti-Ransomware\Internal\Database

Lock all files and databases with CryptSite v.2.0.3 ransomware!

This repository provides a guide on how to mitigate the risk of ransomware attacks on MongoDB data using Client-Side Field Level Encryption (CSFLE). It includes a Python script that simulates a ransomware attack, demonstrating how CSFLE protects sensitive data even when the entire database is compromised.

a chatbot/web app that fetches public cybersecurity feeds (CVE databases, security blogs, news APIs), then uses LangChain to summarize, answer queries, and relate updates to user-specified keywords (e.g., “Linux vulnerabilities,” or “ransomware attacks”)

This project evaluates the security risks of a remote database server that has been publicly accessible on the internet. The assessment identifies potential threats such as data breaches, unauthorized access, and ransomware, and explains the impact on business operation.