Architecture of a ransomware (2/2)

Architecture of a ransomware (2/2)

Note how we didn’t need to copy the full file, we just used the seek() method over the file object to navigate the bytes and make the process as quick as possible. This will also be used in the decryption function.


Also note that since we’re writing both the AES IV and the encrypted key in the encrypted file, we don’t need any kind of txt file with a track of each encrypted file. The victim can just send us any file, and as long as we have the private key used for that specific binary, we’ll be able to decrypt it.

SymDecryptFile


This will be the main decryption function. This is how it’ll work:


  • Call the function with a privateKey and a file path as a parameter

  • def symDecryptFile(privateKey, file):