Creating a POC Crypto Ransomware Framework – 2

Warning: Please read the Site Disclaimer before proceeding.

This post is the second part of the series Creating a POC Crypto Ransomware Framework. In the previous section, I commented on what a Crypto Ransomware is and also depicted the design of POC sample Crypto Ransomware I am developing in this series. Also in this section, I will brief about various ways a victim is infected with Crypto Ransomware. 

Infection Phase

This is a very important step in a successful ransomware attack, rather any malware attack. Most of the security products that try to defend malware attacks work at this step to eliminate infection of victim systems. Ransomware infects systems basically via two ways emails and compromised websites, the very same methods used by any malware.

Delivery of malware using email as a propagation medium is a predominant choice for attackers during malware campaign. Emails are considered to be a direct access for the attackers to enter the victim network and systems. These can be phishing emails wherein victims are tricked into assuming the content and sender of the email as legitimate. Also,  emails could be a scam and are not targeted at particular individual or infrastructure. This scenario is also known as Spear Phishing. Nonetheless, these emails have either links to compromised (infected) websites or carry attachments that have malware embedded in them.

Using social engineering techniques, the documents present themselves as genuine documents such as invoices, reports, bank statements etc. The documents that malicious emails carry are usually in the format which a general user expects such as .doc, .pdf, .xls, .xlsx, .xml. They can also bear multiple extensions such as 1234566.PDF.js  Each file format has its own way of downloading malware to the system. For example, .js file downloads malware from a compromised website, .doc file takes the help of macros.

Another step that attackers take is to publish trojans on various websites. These trojans can be genuine software, Keygens, Software cracks. When these trojans are run by the victim, the actual malware is downloaded to the systems. These malicious programs are now widely created using exploit-kits such as Nuclear, Rig, Neutrino.

Note: I intendedly avoided this phase in creating a POC Ransomware to avoid misuse of the information drawn from this website.

For a better understanding of this phase, I have presented two scenarios.

Scenario A

Here, an attacker embeds a malware in an Excel file, which gets triggered with Macro functionality. He then sends a mail to HR Dept personnel and tricks him to open the file. In this case, I have presented the case how an attacker gains remote access to victim’s system.

Supposedly, when the file is opened the victim is presented with the warning if Macros has to be enabled if it is not already enabled. After successful Macro execution, the attacker gains remote shell to the system.

In this case, I have shown how a malware in documents provides remote access to the system. The same idea is used to spread Ransomware through emails containing macro enabled attachments.

Scenario B

In this scenario, the victim visits a compromised website and downloads a trojan, in this case, a “Flash Player”.

When the victim executes it, a flash player is installed and at the end of the execution embedded malware gets executed to give remote access to the attacker.


In real life, malware authors employ various techniques to evade detection from Antivirus solutions. One such is to download malware in stages using trojan downloaders, droppers etc. These files can be scripts, software that in turn download the required malware to the victim’s system. I have just touched the tip of an iceberg when writing about infection phase.

The next part of the series discusses role and working of C&C server and Key Management at attacker’s side.

Creating a POC Crypto Ransomware Framework – 3



Leave a Reply

Your email address will not be published. Required fields are marked *