Skip to content
/ Dimorf Public

Dimorf is a ransomware using 256-bit AES with a self-destructing, randomly generated key for Linux OS´s

License

Notifications You must be signed in to change notification settings

Ort0x36/Dimorf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Dimorf

Dimorf is a ransomware using 256-bit AES with a self-destructing, randomly generated key for Linux OS´s

Warning⚠️

  • "This code was created for learning purposes only and must not be used to damage or harm other users in any way. Use at your own risk."

Why Dimorf?

  • This name came as inspiration from the Mr. Robot, where the main character is a morphine user, the pharmaceutical name of morphine is dimorf, in parts the name was also inspired by the LKM Rootkit Diamorphine. Diamorphine is the pharmaceutical name for Heroin.

Features

  • __save_log_error: Logs error messages to a file if the file to be encrypted has insufficient permissions and returns the log file path.

  • check_os: checks if the operating system is a Linux type and if Python is running on version 3. If both conditions are true, the encrypt function is called.

  • find_and_encrypt: searches for files in a specific path (by default the path is a user's home directory, extracted by the "HOME" environment variable) and checks if these files have a specific extension (ext_files). If a file has a valid extension, the function checks that it is not a hidden file (begins with "."). If a file meets these conditions, the function checks whether the current user has read, write, and access permissions for that file. If this is the case, the function starts a file encryption process using AES (Advanced Encryption Standard) in CBC mode. Before encrypting, the function opens the file in read mode and loops through the entire contents of the file to check if it is empty, if the file is empty, the function adds a byte padding '\x00\x01' to the variable " data" until its length is a multiple of 16, opens it in write mode, encrypts the entire contents of the file, and replaces the original file with the encrypted version with the ".dimorf" extension. If the current user does not have read, write, or file access permissions. In this case, the function tries to change the permissions of the file to 0o644 in octal basis (meaning that the owner of the file has read and write permissions and all other users have read-only permissions). If the permission change is successful, the function starts the file encryption process again, replacing the original file with the encrypted version and removing the original file. Otherwise, the function generates a log file called "log_dimorf.log" showing the files that could not have their permissions changed.

  • Previously the code extracted the home directory of a common user by the HOME environment variable, and it still works like this if the current user is a common user, with the update the code checks the user by ID, if the ID is equal to zero , this means that the current user is root, so the path to be traversed is from the root "/" since the root user has permission on these subdirectories, the code traverses all subdirectories of the root "/", however, avoiding critical directories like "/boot", "/etc" and so on.

  • checks if there is a process using the file before starting cryptographic operations, if there is, the process is terminated by the pid using syscall kill

Install

  • Clone the repository
git clone https://github.com/Ort0x36/Dimorf.git
  • Enter the folder
cd Dimorf 
  • Install requirements
pip install -r requirements.txt
  • Execution permission
chmod +x dimorf.py
  • Exec
./dimorf.py

References