With this ransomware builder you can create your own ransomware to encrypt files by bitcoin.
- –Almost 10 thousand lines of code.
- –Coded in C# .NET framework 3.5.
- –Many classes build from the ground up.
- –Extensive and fully explained configuration file.
- –Size around 5 Mb.
- –Over 100 skins provided.
- –Advanced spreading features
- –Rootkit to hide executable included and automatic.
- –Debug testing safe sample mode.
- –Extensively tested.
- –Runs from Win7 and up.
- –Low CPU usage. All functions use multi threading.
- –Simulates system process.
- –Melting and relocation.
- –Extensive punishment if ransom not paid – goes up to all hard drives deletion and killing boot.
- –Attacker regularly informed of ransomware actions.
- –Windows frame and icon in windows taskbar are invisible, however you can still drag around the ransomware main window with the mouse to clear the browser visibility to make the payment.
- –Instructions have background transparency.
- –Copy to clipboard Bitcoin Address button.
- –Links to both Bitcoin technology explanation and payment website address.
- –Cool Wallpaper changer (loads wallpaper file from a selected URL.
- –Market BTC value is shown in real time in main interface.
- –A Skinned system is used to easily change the malware main interface look and feel.
- –Totally automated using Coinpayments, Block.Io accounts.
- –You don’t need to risk by giving any email address.
- –No attacker intervention.
- –Each victim gets an individual unique BTC address.
- –The ransomware disables the task manager (it is restored after payment) to prevent being killed from memory.
- –The ransomware also sets itself as an un-killable process. In case the user manages to kill it, the whole windows will crash with a BSOD.
- –All needed dll files are deployed by the malware itself. No need for external files.
- –USB Stick, network drives, network cards Spreading.
- –Intranet spreading by lateral movement and WMI exploits.
- –Spreading through HTML email attachment and FUD word macro.
- –Autorun enabler for removable devices.
- –EternalBlue Exploit scanner and spreading. DoublePulsar report and spreading.
- –Windows defender is disabled. Can’t be turned back on easily and it will stay off after restart. Also AVG and MalwareBytes.
- –Bot Killer.
- –Windows explorer options modified so hidden files can not be seen (might not always work depending on OS version or may require restart).
- –Anti sniffers code.
- –Windows Update Disabler.
- –System Restore Killer.
- –Disable UAC (no admin for victim).
- –Disable Regedit.
- –Disable CMD.
- –Windows Serial Number retrieval. Send back to attacker by email.
- –Use the app as ransomware or as worm. Option to not encrypt any file and not request any ransom, only spread through different mechanisms and install rat or any other file of choice.
- –Change permissions of all files belonging to all the users in a intranet so they can be all encrypted.
- –Businesses and Enterprises databases encryption.
- –Anti virustotal and virusscan.
- –Admin configurable user account is created in victim’s computer, thereby if attacker has access to that network then he can login as Admin (logged victim has to be admin in the first place).
- –Clean-Up after ransom is paid.
- –BlueKeep vulnerability scanner. Results are sent back to attacker by email.
- –Custom smtp server can be easily set.
- –You can add wallets of other coins different than btc.
- –Wallets are handled intelligently. Once one wallet runs out of new addresses, the next one is used.
- –Mass mailer. It works with a list of free smtp servers and a list of email addresses combined used to send an infected email copy of itself.
- –Random Domain Generation. RDG is a great technique to avoid your malware communication channel being taken down. It will generate hundreds of domains a day with which it will simulate to contact. Immerse in this big lot of communications traffic your real channel of communication will be disguised. Only one or two of these random domains is really registered and used by the malware, the rest are decoys. Can be turned on or off and you can select how many visits/day to random domains it will perform.
- –Encryption of files up to 1000 MB in size.
- –Encryption password option to make it static or dynamic. In dynamic mode, the custom decryptor (provided) is no longer effective and each new computer will have a different encryption password.
- –Dynamic ransom amount. If set to yes, the ransom will increase progressively each certain pre-configured number of hours and in certain pre-configured percentage. There is also a variable to set the maximum posible increase to prevent for excessively high ransom amounts.
- –Variable purge time interval cycle. This variable allows you to set a variable time cycle after which files are erased.
- –Possibility to configure in config,cs if a large number of files is erased or not if malware is restarted as punishment and how many files will be erased. Erasing will only occur after malware has melted and is relocated to its final hidden directory.
- –Impossibility to erase malware directory or associated files. For this to work the malware has to be run elevated (so run elevated variable in config.cs has to be set to true), if not, it will ask for elevation; to prevent for such a situation, it will only try to protect the directories if it is running elevated in the first place.
- –Forensics Evidence Cleaner. Something I always want to add but too much coding. Finally its done. This feature can be configured and customized in config,cs. In case the victim is not willing to pay it will look up for all hard drives erasing any trace of its presence, killing every hard drive and finally removing itself.
- –Dynamic control email accounts. In case account is banned malware can chose from several others.
Custom Decryptor (executable and source code Provided):
- –All malware communications are now redirected through Tor Encrypted Network and not only cPanel commands.
- -Ability to change Tor encryption password on the fly from cPanel.