A Brazilian developer named Lenon Leite has released proof-of-concept code for a ransomware family coded in PHP that will allow an attacker to encrypt the contents of web servers.

The ransomware's name is Heimdall and is currently available via GitHub under an MIT license, but I doubt criminal groups care about proper licensing.

Heimdall GitHub repo

In its description, Leite describes the project as follows:

[sic] Heimdall is a ransomware file writte in PHP language and it run in services web Heimdall encrypted all files with a password register and only decrypted files with this password

Detailing his intentions and the project's purpose, Leite also adds:

[sic] This project is only a concept prove and study of case. The ideia is prove for all the big extension of PHP and your utilities including vírus and malicious code. The utilization for real life is probably case of police in your country. Is recommend that use in controlled environment, with files with backup.

Released on October 26, the Heimdall ransomware is self-contained in one 482-line PHP file, which produces the GUI below. If used by attackers, they would deploy the ransomware by uploading this PHP file to compromised servers and accessing the file's URL.

Heimdall GUI

The interface allows the attacker to enter a password that will be used to lock the user's files using the AES-128-CBC encryption algorithm.

The encryption process target's the $_SERVER['DOCUMENT_ROOT'] folder (the directory where the script runs) and all folders found inside it.

During the encryption process, a log of Heimdall's activity is shown in the GUI. The encryption process can take between seconds and minutes, depending on the amount of files found on the server.

Heimdall encryption log

Once the encryption finishes, all server files, regardless of extension will be encrypted and their content will be prepended with the "Heimdall---" file marker, as per the screenshot below.

Heimdall locked file

Tests by Bleeping Computer's Lawrence Abrams and security researcher Benkow, who alerted BC of Heimdall's existence, reveal that Leite had open-sourced a fully-weaponized version of his ransomware, capable of encrypting servers right out-of-the-box, with minimal changes to the basic code.

The ransomware's developer has also recorded and released a video on YouTube showcasing's Heimdall's features.

Open-sourcing ransomware is a bad idea

Leite is not the first developer that creates "educational" ransomware, which is later open-sourced via source code sharing websites like GitHub.

Previously, Turkish developer Utku Sen had created the Hidden Tear and EDA2 ransomware projects, and security researcher Maksym Zaitsev released the CryptoTrooper Linux ransomware.

Sen's projects, because they targeted Windows, ended up being used as the base for multiple ransomware variants that came out almost on a weekly basis since late-2015.

For example, Hidden Tear was used for ransomware families such as 8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction.

On the other hand, EDA2 was used for ransomware variants known as razilian, DEDCryptor, Fantom, FSociety, Magic, MM Locker, SkidLocker, SNSLocker, Strictor, and Surprise.

Because it targeted Linux systems, the CryptoTrooper project wasn't deployed en-masse, and we are currently unaware of any cases where it might have been used.

Furthermore, Zaitsev quickly realized the mistake of publishing the CryptoTrooper code as open source, and after pulling down his repository, he later made it available again, but only after users solved a crypto-challenge.

The problem with open-sourcing ransomware has been previously explained in a Softpedia editorial, and most recently in an opinion piece by G Data security researcher Karsten Hahn.

Heimdall developer wanted to showcase PHP's ransomware feasibility

Bleeping Computer has reached out to Leite for additional comments on what drove him to release a fully-weaponized version of Heimdall.

The author, for whom English is not his first language, provided the following reply.

[sic] I´m decided to open source for title of studies, security offencive is a important content for studies. I written that the use of heindall can get many problem. And show many possibilities of php. I ever talked that we need understand how de bad code  it works for create better defence or better code. How can we defend something we do not know ?!

Zaitsev, the author of CryptoTrooper, had the same train of thought and principles before intense criticism from the infosec community drove him to remove the project from GitHub.

Until now, the infosec community hasn't reached out to Leite to inform him of the danger he's putting users because of his actions.

[sic] No I dont received cristcim about ransomware, maybe peoples dont seen much but only haters of others language questioned about power of tool.

In another reply, which we'll not share here, Leite seemed to be more interested in showcasing PHP's features when it comes to encryption and security-related tasks, when compared to other programming languages such as Python or Ruby.

Removing Heimdall from GitHub won't solve anything

Even if the project will be removed, no doubt some bad actor already has a copy of it somewhere on his hard-drive, and most likely the code is already being shared in the criminal underground.

The problem is not getting the ransomware down from GitHub, but it's convincing legitimate researchers and software developers from publicly releasing them to begin with.

There is a need for researchers to study how ransomware works, but this can be done in private and controlled environments. Ransomware is not like a server flaw that needs to be weaponized and shared online, in order to allow researchers to test their systems.

Low chances of seeing Heimdall in the wild

Until now, server-targeting ransomware hasn't been very effective, mainly because server admins are in the habit of regularly backing up their websites on a daily, weekly, or monthly basis, and can easily deploy an older image of their server within minutes when infected.

On the other hand, backing up home or work computers isn't something that users regularly think off, and that's why desktop-targeting ransomware is so prevalent.

Leite is not the first Brazilian developer to have created a proof-of-concept ransomware. In November 2015, Rafael Salema Marques created a Mac ransomware called Mabouia.

Marques didn't open-source the code online and only shared it with Apple's Mac Threat Research Team, who reached out to get a copy and analyze it.

UPDATE [November 9, 13:05]: After we published our article, Leite informed Bleeping Computer that he removed the ransomware's code from GitHub. At the time of writing, the project is still on GitHub, but the ransomware's source code includes only a message that reads "this project is in analys, maybe we return or not. =)"

Related Articles:

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High