Skip to content

femrawr/stuckmoth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
.cargo
.cargo
 
 
.github/readme
.github/readme
 
 
decryptor
decryptor
 
 
encryptor
encryptor
 
 
panel
panel
 
 
shared
shared
 
 
.gitignore
.gitignore
 
 
.todo
.todo
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

stuckmoth

A Windows ransomware that uses the post quantum Kyber key encapsulation mechanism (ML-KEM) with Curve25519 and XChaCha20Poly1305 encryption with a web panel for building, viewing updates and more.

Support server: https://discord.gg/DwW4JmMZQR

Disclaimer

This tool is strictly for educational and security research purposes only and should not be used in any malicious or unethical way.
The user is solely responsible for how and what they use this tool for.
The creator bears no responsibility for any damage, loss of data, or any unintended consequences that may result from using this tool.

Why this was created

This was created because i have never seen any ransomware making use of Kyber/ML-KEM and thought it would be cool to give it a try. Additionality, this was also to help me understand and learn more about asymmetric encryption (early versions of stuckmoth had the key just embeded inside itself lmao).

Building

  1. Go into stuckmoth\panel
  2. Run cargo run --release --target x86_64-pc-windows-msvc
  3. Wait for the dependancies to be compiled
  4. Go to the url it outputs (it should look like listening on http://127.0.0.1:1107)
  5. Fill in the settings
  6. Scroll down to the "build" button and click it
  7. Wait a while until the page reloads (can be very long on the first build)
  8. Go into the .builds directory (the builder will automatically create this if it does not exist)
  9. The latet build will be in the folder with "latest-" at the start
  10. An encryptor and dedicated decryptor will be in there.

Picture of panel

Picture of panel

Panel settings

  • tracking id - An ID that can help you keep track of this build.
  • note - The note that will be displayed at the end of the encryption.
  • files enumeration chunk size - How many files will be enumuerated and sent for encryption per file discovery cycle.¹
  • overwrite deleted data passes - How many times a file will be overwritten after it is encrypted.²
  • processes to kill - A list of processes that will be killed before the encryption starts.³
  • whitelisted directories - A list of directories that will be ignored during encryption.⁴
  • whitelisted file extensions - A list of file extensions that will be ignored during encryption.⁵
  • block input - Disables all mouse and keyboard inputs during encryption.⁶
  • force admin - Continuously triggers the UAC prompt until it is accepted.⁷
  • melt file - Deletes the stuckoth file after the encryption has finished.⁸
  • open note - Automatically opens the note after the encryption has finished.⁹
  • restart device - Automatically restarts the device after encryption has compleated.
  • delete shadow copies - Deletes all shadow copies with vssadmin.
  • overwrite deleted data - Overwrites all deleted data from every detected drive.²
  • encrypt separately - Writes the encrypted data to another file before deleting the original file.
  • obfuscate file names - Changes the name of the encrypted files to single letter names.¹⁰
  • add file extension - Appends ".STUCKMOTH" to the end of the file.

¹ If the chunk size is ever smaller than the number of files in a directory, it might send the encryption in a loop, especially if obfuscate file names is enabled.
² This option will only do anything if encrypt separately is enabled.
³ The process will be killed with taskkill /f /im <process>. If the process starts again after it has been killed, it will not be killed again.
⁴ You can add paths with environment variables such as %SYSTEMROOT%, they will automatically get expanded if they exist.
⁵ If add file extension is enabled, ".STUCKMOTH" will automatically get added to the list even if it is not displayed in the textarea in the panel.
⁶ This option requires stuckmoth to be ran as administrator.
⁷ It will not do this if stuckmoth is already running as administrator.
⁸ If restart device is enabled and stuckmoth is running as administrator, it will add its own process path to (PendingFileRenameOperations) of (HKLEM\SYSTEM\CurrentControlSet\Control\Session Manager). If stuckmoth is not running as administrator it will add a registry key (del <stuckmoth path>) to (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce).
⁹ If restart device is enabled stuckmoth will add a registry key (explorer <note path>) to (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce).
¹⁰ If there are too many files that the name cannot be changed to a - z it will go to aa then aaa and so on.

Debug config

These settings can only be edited directly from encryptor\src\config.rs

  • DEBUG_MODE_ENABLED - Whether debug mode is enabled.
  • DEBUG_MODE_DIR_OVERRIDE - The only directory that will be encrypted.
  • DEBUG_MODE_MAX_FILES_ENCRYPTABLE - How many files will be encrypted. If the number is 0, there will be no limit to the number of files encryptable.

About

A Windows ransomware with post quantum key encapsulation, Curve25519 key and XChaCha20Poly1305 encryption.

Topics

windows ransomware xchacha20-poly1305 mlkem-1024

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages