Deep RansomWare


How Bad Hackers built RansomeWare and handle from one Network…


Tags: ransomware builder v2, atom ransomware download, ransomware creator tool, ransomware builder pack, shark ransomware download, shark ransomware download, golang ransomware, how to get ransomware virusmauri870 ransomware, how to create ransomware, DIY ransomware, Ransomware Builder Download

Private ransomware Service Available

General characteristics:

–Almost 10 thousand lines of code.

–Coded in C# .NET framework 3.5.

–Many classes build from the ground up.

–Extensive and fully explained configuration file.

–Size around 5 Mb.

–Over 100 skins provided.

–Advanced spreading features

–Rootkit to hide executable included and automatic.

–Debug testing safe sample mode.

–Extensively tested.

–Runs from Win7 and up.

–Low CPU usage. All functions use multi-threading.

–Simulates system process.

–Melting and relocation.

–Extensive punishment if ransom not paid – goes up to all hard drives deletion and killing boot.

–Attacker regularly informed of ransomware actions.


–Windows frame and icon in the windows taskbar are invisible, however, you can still drag around the ransomware main window with the mouse to clear the browser visibility to make the payment.

–Instructions have background transparency.

–Copy to clipboard the Bitcoin Address button.

–Links to both Bitcoin technology explanation and payment website address.

–Cool Wallpaper changer (loads wallpaper file from a selected URL.

–Market BTC value is shown in real-time in the main interface.

–A Skinned system is used to easily change the malware’s main interface look and feel.

Payment system:

–Totally automated using Block.Io accounts.

–You don’t need to risk by giving any email address.

–No attacker intervention.

–Each victim gets an individual unique BTC address.

Security features:

–The ransomware disables the task manager (it is restored after payment) to prevent being killed from memory.

–The ransomware also sets itself as an un-killable process. In case the user manages to kill it, the whole windows will crash with a BSOD.

–All needed DLL files are deployed by the malware itself. No need for external files.

–USB Stick, network drives, network cards Spreading.

–Intranet spreading by lateral movement and WMI exploits.

–Spreading through HTML email attachment and FUD word macro.

–Autorun enabler for removable devices.

–EternalBlue Exploit scanner and spreading. DoublePulsar report and spreading.

–Windows Defender is disabled. Can’t be turned back on easily and it will stay off after restart. Also AVG and MalwareBytes.

–Bot Killer.

–Windows explorer options modified so hidden files can not be seen (might not always work depending on OS version or may require a restart).

–Anti sniffers code.

–Windows Update Disabler.

–System Restore Killer.

–Disable UAC (no admin for the victim).

–Disable Regedit.

–Disable CMD.

–Windows Serial Number retrieval. Send it back to the attacker by email.

–Use the app as ransomware or as a worm. Option to not encrypt any file and not request any ransom, only spread through different mechanisms and install RAT or any other file of choice.

–Change permissions of all files belonging to all the users in a intranet so they can be all encrypted.

–Businesses and Enterprises database encryption.

–Anti virustotal and VirusScan.

–Admin configurable user account is created in the victim’s computer, thereby if the attacker has access to that network then he can log in as Admin (logged victim has to be an admin in the first place).

–Clean-Up after the ransom is paid.

–BlueKeep vulnerability scanner. The results are sent back to the attacker by email.

–Custom SMTP server can be easily set.

–You can add wallets of other coins different than BTC.

–Wallets are handled intelligently. Once one wallet runs out of new addresses, the next one is used.

–Mass mailer. It works with a list of free SMTP servers and a list of email addresses combined used to send an infected email copy of itself.

–Random Domain Generation. RDG is a great technique to avoid your malware communication channel being taken down. It will generate hundreds of domains a day with which it will simulate to contact. Immerse in this big lot of communications traffic your real channel of communication will be disguised. Only one or two of these random domains is really registered and used by the malware, the rest are decoys. It can be turned on or off and you can select how many visits/day to random domains it will perform.

–Encryption of files up to 1000 MB in size.

–Encryption password option to make it static or dynamic. In dynamic mode, the custom decryptor (provided) is no longer effective and each new computer will have a different encryption password.

–Dynamic ransom amount. If set to yes, the ransom will increase progressively each certain pre-configured number of hours and in certain pre-configured percentage. There is also a variable to set the maximum possible increase to prevent excessively high ransom amounts.

–Variable purge time interval cycle. This variable allows you to set a variable time cycle after which files are erased.

–Possibility to configure in the config, cs if a large number of files is erased or not if malware is restarted as punishment and how many files will be erased. Erasing will only occur after malware has melted and is relocated to its final hidden directory.

–Impossibility to erase malware directory or associated files. For this to work the malware has to be run elevated (so run elevated variable in config.cs has to be set to true) if not, it will ask for elevation; to prevent for such a situation, it will only try to protect the directories if it is running elevated in the first place.

–Forensics Evidence Cleaner. Something I always want to add but too much coding. Finally, it’s done. This feature can be configured and customized in the config, cs. In case the victim is not willing to pay it will look up for all hard drives erasing any trace of its presence, killing every hard drive and finally removing itself.

–Dynamic control email accounts. In case an account is banned malware can choose from several others.

Control Panel:

Custom Decryptor (executable and source code Provided):


–All malware communications are now redirected through Tor Encrypted Network and not only cPanel commands.

To Add:

-Ability to change the Tor encryption password on the fly from cPanel.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.