A Brazilian developer named Lenon Leite has released proof-of-concept code for a ransomware family coded in PHP that will allow an attacker to encrypt the contents of web servers.
The ransomware's name is Heimdall and is currently available via GitHub under an MIT license, but I doubt criminal groups care about proper licensing.
In its description, Leite describes the project as follows:
Detailing his intentions and the project's purpose, Leite also adds:
Released on October 26, the Heimdall ransomware is self-contained in one 482-line PHP file, which produces the GUI below. If used by attackers, they would deploy the ransomware by uploading this PHP file to compromised servers and accessing the file's URL.
The interface allows the attacker to enter a password that will be used to lock the user's files using the AES-128-CBC encryption algorithm.
The encryption process target's the $_SERVER['DOCUMENT_ROOT'] folder (the directory where the script runs) and all folders found inside it.
During the encryption process, a log of Heimdall's activity is shown in the GUI. The encryption process can take between seconds and minutes, depending on the amount of files found on the server.
Once the encryption finishes, all server files, regardless of extension will be encrypted and their content will be prepended with the "Heimdall---" file marker, as per the screenshot below.
Tests by Bleeping Computer's Lawrence Abrams and security researcher Benkow, who alerted BC of Heimdall's existence, reveal that Leite had open-sourced a fully-weaponized version of his ransomware, capable of encrypting servers right out-of-the-box, with minimal changes to the basic code.
The ransomware's developer has also recorded and released a video on YouTube showcasing's Heimdall's features.
Leite is not the first developer that creates "educational" ransomware, which is later open-sourced via source code sharing websites like GitHub.
Previously, Turkish developer Utku Sen had created the Hidden Tear and EDA2 ransomware projects, and security researcher Maksym Zaitsev released the CryptoTrooper Linux ransomware.
For example, Hidden Tear was used for ransomware families such as 8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction.
On the other hand, EDA2 was used for ransomware variants known as razilian, DEDCryptor, Fantom, FSociety, Magic, MM Locker, SkidLocker, SNSLocker, Strictor, and Surprise.
Because it targeted Linux systems, the CryptoTrooper project wasn't deployed en-masse, and we are currently unaware of any cases where it might have been used.
Furthermore, Zaitsev quickly realized the mistake of publishing the CryptoTrooper code as open source, and after pulling down his repository, he later made it available again, but only after users solved a crypto-challenge.
Bleeping Computer has reached out to Leite for additional comments on what drove him to release a fully-weaponized version of Heimdall.
The author, for whom English is not his first language, provided the following reply.
Zaitsev, the author of CryptoTrooper, had the same train of thought and principles before intense criticism from the infosec community drove him to remove the project from GitHub.
Until now, the infosec community hasn't reached out to Leite to inform him of the danger he's putting users because of his actions.
In another reply, which we'll not share here, Leite seemed to be more interested in showcasing PHP's features when it comes to encryption and security-related tasks, when compared to other programming languages such as Python or Ruby.
Even if the project will be removed, no doubt some bad actor already has a copy of it somewhere on his hard-drive, and most likely the code is already being shared in the criminal underground.
The problem is not getting the ransomware down from GitHub, but it's convincing legitimate researchers and software developers from publicly releasing them to begin with.
There is a need for researchers to study how ransomware works, but this can be done in private and controlled environments. Ransomware is not like a server flaw that needs to be weaponized and shared online, in order to allow researchers to test their systems.
Until now, server-targeting ransomware hasn't been very effective, mainly because server admins are in the habit of regularly backing up their websites on a daily, weekly, or monthly basis, and can easily deploy an older image of their server within minutes when infected.
On the other hand, backing up home or work computers isn't something that users regularly think off, and that's why desktop-targeting ransomware is so prevalent.
Leite is not the first Brazilian developer to have created a proof-of-concept ransomware. In November 2015, Rafael Salema Marques created a Mac ransomware called Mabouia.
Marques didn't open-source the code online and only shared it with Apple's Mac Threat Research Team, who reached out to get a copy and analyze it.
UPDATE [November 9, 13:05]: After we published our article, Leite informed Bleeping Computer that he removed the ransomware's code from GitHub. At the time of writing, the project is still on GitHub, but the ransomware's source code includes only a message that reads "this project is in analys, maybe we return or not. =)"