The road to Hell is paved with good intentions when security researchers release "educational" ransomware. We saw this when Utku Sen released the hidden-tear and EDA2 ransomware source code on Github, which led to a sudden onslaught of script kiddies using it to make ransomware.  Now we may possibly see it with a new educational ransomware called ShinoLocker that was developed by security researcher Shota Shinogi as a means for people to test their security performance and utilities.

ShinoLocker Site
ShinoLocker Site

According to Shinogi, he created this ransomware so that other researchers can "understand how the popular ransomwares work from this experience. You can also test your forensics skill on retrieving the decryption key from the memory." Presented as part of a presentation at Black Hat 2016, ShinoLocker allows any one to create their own ransomware executable by entering some basic configuration options into a web site.

Ransomware Executable Builder
Ransomware Executable Builder

Using the above builder, anyone can create their own ransomware executable that encrypts designated file types and then executes a command, such as vssadmin to delete Shadow Volume Copies, when the ransomware is executed.  

While I agree that for those who use the default entries, there is not much risk to anyone's files as it does not ask for a ransom and provides an easy method to get your decryption key. This all changes, though, when a would-be criminal decides to change the default parameters.  Without going into too much detail, it would be trivial to modify the ransomware so that it does not display the ShinoLocker string, so it is not easily identifiable, and to use the Command & Parameter field to download a real ransom note that does ask for a ransom in bitcoins.

While I feel that Shota Shinogi ultimately had good intentions with this ransomware builder, I also think that it could easily be abused by those who want to harm people. Hopefully I will be proven wrong.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files