The CryptoTrooper White-Box Solution is a tool that showcases a complete platform for learning about ransomware attacks and infections.
CryptoTrooper Is the Latest Security Tool For Ransomware Investigation
The CryptoTrooper is one of the latest tools that have been developed for the security community. As a security focused media we would like to give more insight about its capabilities and what it is used for. To understand its essence we first need to explain what the description means. The developers notes that this is “The world’s first Linux white-box ransomware for learning purpose”.
We understand that the program has two main characteristics:
- Linux-based – The application is developed to run on the Gnu/Linux operating system which gives it access to advanced commands and a flexible work environment. In addition this gives developer the ability to introduce modularity into the code base.
- White-Box Testing – This is a testing technique that relies on the structure of the tested objects. Some of the attributions that are designed to be tested by white-box means include programming statements, branch comparability and path coverage.
CryptoTrooper requires the following environment setup:
- A Debian-based 64-bit Gnu/Linux distribution with root access
- A running Apache or Nginx web server for setting up the web service encryption and main page modification
- The MySQL or PostreSQL databases for setting up database encryption
- Access to the /root and /home locations for personal data encryption
CryptoTrooper follows a set algorithm that includes the following phases:
- Infection – The victim server is exploited using a method of choice (software vulnerability, bad configuration or another option) and root privileges are attained
- Encryption – The ransomware crafts a unique symmetric encryption key and encrypts the target user data
- White-box – The white-box cipher uses the one-way white-boxed key and encrypts the key that is used for encryption
- Decryption – The victim machine sends the white-box encrypted key and its initialization vector (IV). The key is then decrypted by the hackers with their own IV and the master key. The true key is then sent to the victim user.
The Advantages of Using CryptoTrooper
The application can be used to learn about various ransomware implementations and concepts. This gives security experts and system administrators the platform to react in an event of a ransomware attack or infection and to perform the necessary precautions and measures against them. It is also a tool to study cryptography methods and practice reverse engineering samples of malware code.
CryptoTrooper can also be used in various demonstrations and workshops for computer and network security and penetration testing.
The developers of the project advise everyone to use a virtual machine or a non-production machine to mitigate the damage that the ransomware code produces on the host.
How To Run CryptoTrooper
Its very easy to setup the environment to run CryptoTrooper. The first thing is to install all necessary dependencies by issuing the following command as root:
apt-get install apache2 nginx-common mysql-server postgresql
The next step is to change to the / location and move the source directory with the following commands:
cd /
mv $CRYPTOTROOPER_SOURCE_DIRECTORY/* .
To start the actual encryption process the user needs to initiate the CryptoTrooper binary:
/cipher.sh &
This will encrypt the target user data with the AES-128 cipher in CBC mode with a randomly generated key a random initialization vector for each file. The next step is to white-box the one-way key and generate the key.enc and key.iv files.
These files are the ones that have to be sent to the attackers.
The ransomware message defaces the local web server and if a web browser is launched, the victim user will view its contents. All they have to do is enter the localhost address in the bar.
After the payment has been initiated the following commands need to be run:
mv key.enc key.iv $YOUR_DIRECTORY
./whiteDecipher.sh
And finally decryption is made by firing up these two lines:
mv key /
/decipher.sh
For more detailed information visit the official project page located on GitHub.
