Someone’s done it. Yay?
3 Likes
Yes, I did but it seems like it’s too destructive and causing system unusable. Normal Ransomware shouldn’t do that except for bootkit ransomwares.
A reminder not to download/install anything “some guy” linked to on the interwebs…
Anyone want to check if ClamAV finds this thing? 
3 Likes
fileTypes = ['.pyd', '.elf', '.ps1', '.bas', '.bat', '.chm', '.cmd', '.com', '.cpl', '.dll', '.exe', '.msc', '.ocx', '.pcd', '.pif', '.reg', '.scr', '.sct', '.url', '.vbe', '.wsc', '.wsf', '.wsh', '.ct', '.t', '.input', '.war', '.jspx', '.tmp', '.dump', '.pwd', '.w', '.cfg', '.psd1', '.psm1', '.ps1xml', '.clixml', '.psc1', '.pssc', '.www', '.rdp', '.msi', '.dat', '.contact', '.settings', '.odt', '.jpg', '.mka','shtml', '.mhtml', '.oqy', '.png', '.csv', '.py', '.sql', '.mdb', '.html', '.htm', '.xml', '.psd', '.pdf', '.xla', '.cub', '.dae', '.indd', '.cs', '.mp3', '.mp4', '.dwg', '.rar', '.mov', '.rtf', '.bmp', '.mkv', '.avi', '.apk', '.lnk', '.dib', '.dic', '.dif', '.divx', '.iso', '.7zip', '.ace', '.arj', '.bz2', '.cab', '.gzip', '.lzh', '.jpeg', '.xz', '.mpeg', '.torrent', '.mpg', '.core', '.pdb', '.ico', '.pas', '.db', '.wmv', '.swf', '.cer', '.bak', '.backup', '.accdb', '.bay', '.p7c', '.exif', '.vss', '.raw', '.m4a', '.wma', '.flv', '.sie', '.sum', '.ibank', '.wallet', '.css', '.js', '.rb', '.xlsm', '.xlsb', '.7z', '.cpp', '.java', '.jpe', '.ini', '.blob', '.wps', '.wav', '.3gp', '.webm', '.m4v', '.amv', '.m4p', '.svg', '.ods', '.bk', '.vdi', '.vmdk', '.accde', '.json', '.gif', '.gz', '.m1v', '.sln', '.pst', '.obj', '.xlam', '.djvu', '.inc', '.cvs', '.dbf', '.tbi', '.wpd', '.dot', '.dotx', '.xltx', '.pptm', '.potx', '.potm', '.xlw', '.xps', '.xsd', '.xsf', '.xsl', '.kmz', '.accdr', '.stm', '.accdt', '.ppam', '.pps', '.ppsm', '.1cd', '.3ds', '.3fr', '.3g2', '.accda', '.accdc', '.accdw', '.adp', '.ai', '.ai3', '.ai4', '.ai5', '.ai6', '.ai7', '.ai8', '.arw', '.ascx', '.asm', '.asmx', '.avs', '.bin', '.cfm', '.dbx', '.dcm', '.dcr', '.pict', '.rgbe', '.dwt', '.f4v', '.exr', '.kwm', '.max', '.mda', '.mde', '.mdf', '.mdw', '.mht', '.mpv', '.msg', '.myi', '.nef', '.odc', '.geo', '.swift', '.odm', '.odp', '.oft', '.orf', '.pfx', '.p12', '.pls', '.safe', '.tab', '.vbs', '.xlk', '.xlm', '.xlt', '.xltm', '.svgz', '.slk', '.dmg', '.ps', '.psb', '.tif', '.rss', '.key', '.vob', '.epsp', '.dc3', '.iff', '.onepkg', '.onetoc2', '.opt', '.p7b', '.pam', '.r3d', '.pkg', '.yml', '.old', '.thmx', '.keytab', '.h', '.php', '.c', '.zip', '.log', '.log1', '.log2', '.tm', '.blf', '.uic', '.widget-plugin', '.regtrans-ms', '.efi', '.rule', '.rules', '.yar', '.yara', '.yrc', '.inf', '.ini', '.ndb', '.cvd', '.cld', '.ign2', '.dmp', '.conf' '.config', '.pyc', '.386', '.3gp2', '.3gpp', '.3mf', '.a', '.a2s', '.aac', '.ac3', '.accessor', '.accountpicture-ms', '.adt', '.adts', '.aif', '.aifc', '.aiff', '.androidproj', '.ani', '.ans', '.appcontent-ms', '.application', '.appref-ms', '.aps', '.arc', '.ari', '.art', '.asa', '.asax', '.asc', '.asf', '.ashx', '.asp', '.aspx', '.asx', '.au', '.avci', '.avcs', '.avif', '.avifs', '.bcp', '.bkf', '.blg', '.bsc', '.camp', '.cap', '.cat', '.cc', '.cda', '.cdmp', '.cdx', '.cdxml', '.cgm', '.chk', '.cjs', '.cls', '.cod', '.coffee', '.compositefont', '.config', '.coverage', '.cppm', '.cr2', '.cr3', '.crl', '.crt', '.crw', '.csa', '.csh', '.cshader', '.cshtml', '.csproj', '.cts', '.cur', '.cxx', '.datasource', '.dbg', '.dbs', '.dcs', '.dct', '.dctx', '.dctxc', '.dds', '.def', '.der', '.desklink', '.deskthemepack', '.devicemanifest-ms', '.devicemetadata-ms', '.diagcab', '.diagcfg', '.diagpkg', '.diagsession', '.disco', '.diz', '.dl_', '.dng', '.doc', '.docx', '.dos', '.drf', '.drv', '.dsgl', '.dsh', '.dshader', '.dsn', '.dsp', '.dsw', '.dtcp-ip', '.dtd', '.dvr-ms', '.ec3', '.edmx', '.eip', '.emf', '.eml', '.eps', '.epub', '.erf', '.etl', '.etp', '.evt', '.evtx', '.exp', '.ext', '.ex_', '.eyb', '.faq', '.fff', '.fif', '.filters', '.fky', '.flac', '.fnd', '.fnt', '.fon', '.fx', '.generictest', '.ghi', '.gitattributes', '.gitignore', '.gitmodules', '.gmmp', '.group', '.grp', '.gsh', '.gshader', '.hdd', '.hdp', '.heic', '.heics', '.heif', '.heifs', '.hh', '.hhc', '.hif', '.hlp', '.hlsl', '.hlsli', '.hpp', '.hqx', '.hsh', '.hshader', '.hta', '.htc', '.htt', '.htw', '.htx', '.hxx', '.i', '.ibq', '.icc', '.icl', '.icm', '.ics', '.idb', '.idl', '.idq', '.igp', '.iiq', '.ilk', '.imc', '.imesx', '.img', '.inl', '.inv', '.inx', '.in_', '.ipp', '.itrace', '.ivf', '.ixx', '.jav', '.jbf', '.jfif', '.job', '.jod', '.jse', '.jsonld', '.jsproj', '.jsx', '.jxr', '.k25', '.kci', '.kdc', '.label', '.latex', '.less', '.lgn', '.lib', '.library-ms', '.lic', '.local', '.lpcm', '.lst', '.m14', '.m2t', '.m2ts', '.m2v', '.m3u', '.m4b', '.mak', '.man', '.manifest', '.map', '.mapimail', '.master', '.mef', '.mfcribbon-ms', '.mid', '.midi', '.mjs', '.mk', '.mk3d', '.mlc', '.mmf', '.mod', '.mos', '.movie', '.mp2', '.mp2v', '.mp4v', '.mpa', '.mpe', '.mpv2', '.mrw', '.ms-windows-store-license', '.msepub', '.msm', '.msp', '.msrcincident', '.msstyles', '.msu', '.mts', '.mtx', '.mv', '.mydocs', '.natvis', '.ncb', '.netperf', '.nettrace', '.nfo', '.nls', '.nrw', '.nvr', '.nvram', '.oc_', '.odh', '.odl', '.oga', '.ogg', '.ogm', '.ogv', '.ogx', '.opus', '.orderedtest', '.ori', '.osdx', '.otf', '.ova', '.ovf', '.p10', '.p7m', '.p7r', '.p7s', '.pal', '.partial', '.pbk', '.pch', '.pcp', '.pds', '.pef', '.perfmoncfg', '.pfm', '.php3', '.pic', '.pkgdef', '.pkgundef', '.pko', '.pl', '.plg', '.pma', '.pmc', '.pml', '.pmr', '.pnf', '.pot', '.ppkg', '.ppt', '.prc', '.prf', '.printerexport', '.props', '.psh', '.pshader', '.ptx', '.publishproj', '.pubxml', '.pxn', '.pyo', '.pyw', '.pyz', '.pyzw', '.qds', '.raf', '.rat', '.razor', '.rc', '.rc2', '.rct', '.res', '.resmoncfg', '.resw', '.resx', '.rgs', '.rle', '.rll', '.rmi', '.rpc', '.rsp', '.rul', '.ruleset', '.rw2', '.rwl', '.s', '.sbr', '.sc2', '.scc', '.scd', '.scf', '.sch', '.scp', '.scss', '.sdl', '.search-ms', '.searchconnector-ms', '.sed', '.settingcontent-ms', '.sfcache', '.sh', '.shproj', '.shtm', '.shtml', '.sit', '.sitemap', '.skin', '.slnf', '.snd', '.snippet', '.snk', '.sol', '.sor', '.spc', '.sr2', '.srf', '.srw', '.sr_', '.sst', '.stvproj', '.suo', '.svc', '.svclog', '.sym', '.symlink', '.sys', '.sy_', '.tar', '.targets', '.tdl', '.testrunconfig', '.testsettings', '.text', '.tgz', '.theme', '.themepack', '.tiff', '.tlb', '.tlh', '.tli', '.tod', '.tpsr', '.trg', '.trx', '.ts', '.tsp', '.tsv', '.tsx', '.tt', '.ttc', '.ttf', '.tts', '.tvc', '.tvlink', '.tvs', '.txt', '.udf', '.udl', '.udt', '.uitest', '.user', '.usr', '.uvu', '.vb', '.vbhtml', '.vbox', '.vbox-extpack', '.vbproj', '.vbx', '.vcf', '.vcproj', '.vcxitems', '.vcxproj', '.vhd', '.vhdpmem', '.vhdx', '.viw', '.vmac', '.vmba', '.vmpl', '.vmsd', '.vmsn', '.vmss', '.vmt', '.vmtm', '.vmx', '.vmxf', '.vsct', '.vsglog', '.vsh', '.vshader', '.vsix', '.vsixlangpack', '.vsixmanifest', '.vsmdi', '.vsp', '.vsprops', '.vsps', '.vspscc', '.vsscc', '.vssettings', '.vssscc', '.vstemplate', '.vsz', '.vxd', '.wab', '.wax', '.wbcat', '.wcx', '.wdp', '.weba', '.webp', '.webpnp', '.website', '.wll', '.wlt', '.wm', '.wmd', '.wmdb', '.wmf', '.wmp', '.wms', '.wmx', '.wmz', '.wpa', '.wpapk', '.wpl', '.wri', '.wsdl', '.wsz', '.wtv', '.wtx', '.wvx', '.x', '.x3f', '.xaml', '.xbap', '.xdr', '.xht', '.xhtml', '.xix', '.xlb', '.xlc', '.xls', '.xproj', '.xrm-ms', '.xsc', '.xslt', '.xss', '.z', '.z96', '.zfsendtotarget', '.zoo', '._bsln140', '._bsln150', '._sln', '._sln100', '._sln110', '._sln120', '._sln140', '._sln150', '._sln160', '._sln170', '._sln60', '._sln70', '._sln71', '._sln80', '._sln90', '._vbxsln100', '._vbxsln110', '._vbxsln80', '._vbxsln90', '._vcppxsln100', '._vcppxsln110', '._vcppxsln80', '._vcppxsln90', '._vcsxsln100', '._vcsxsln110', '._vcsxsln80', '._vcsxsln90', '._vjsxsln80', '._vw8xsln110', '._vwdxsln100', '._vwdxsln110', '._vwdxsln120', '._vwdxsln140', '._vwdxsln150', '._vwdxsln80', '._vwdxsln90', '._vwinxsln120', '._vwinxsln140', '._vwinxsln150', '._wdxsln110', '._wdxsln120', '._wdxsln140', '._wdxsln150', '.all', '.amr', '.appinstaller', '.appx', '.appxbundle', '.c5e2524a-ea46-4f67-841f-6a9465d9d515', '.conf', '.daq', '.dpl', '.fbx', '.fd', '.fh', '.fud', '.glb', '.gltf', '.ids', '.iss', '.list', '.m3u8', '.m4r', '.md', '.mdc', '.mpg4', '.ms-lockscreencomponent-primary', '.msix', '.msixbundle', '.nupkg', '.one', '.oxps', '.ply', '.reputation', '.rwz', '.sample', '.sig', '.solitairetheme8', '.stl', '.thumb', '.winget', '.winmd', '.wsb', '.xvid', '.yaml', '.zpl', '.boe', '.cwp', '.jar', '.jnlp', '.jxl', '.lfm', '.lpi', '.lpk', '.lpr', '.oetpl', '.ovpn', '.pp', '.soe', '.tbz2', '.txz', '.tzst', '.wdq', '.zst', '.cnf', '.d', '.data', '.f4a', '.fluid', '.hdmp', '.kdmp', '.lastbuildstate', '.loop', '.mdmp', '.mxf', '.ndmp', '.note', '.opdownload', '.pyx', '.qt', '.recipe', '.rm', '.rmv', '.rmvb', '.run', '.tlog', '.whiteboard', '.yuv' ]
I have list of this things. I was going to create anti ransomware or too many files access thing for haiku to detect malware from scratch instead of porting YARA rules etc. That would be more interesting. Just add one line to ClamAV, then it can detect this malware. Currently ClamAV and other engines can’t detect it. I going to use fileTypes to detect ransomware. For now I don’t going to use driver.
2 Likes
It looks like this same “ransomware” would run on Linux and encrypt your home directory there with only a few changes. So Haiku isn’t uniquely vulnerable here.
4 Likes
This is one of those occasions when multi-user is necessary: the normal user is root all the time, and it doesn’t help at all.
I also want to take this opportunity to suggest a containerized package system. Imagine something similar to Cannonical’s Snap.
1 Like
Good day,
I was just thinking about cointainerizing software, but was thinking about firejail. Though snap, flatpak or appimage translation to Haiku would do. Whatever the tech, Haiku needs it. Also multiuser. Being root all the time is not that good.
Regards,
RR
2 Likes
What would be the point, so only user accssible files gets encrypted? People just shouldn’t run random files of the 'net, root acces wouldn’t make a diffference here. Also this is my personal opinion, but ubuntu’s implementation of snaps is the most annoying aspect of it.
2 Likes
10 Likes
The malware uses the advanced AES-256-GCM encryption algorithm to encrypt victim files, a choice that highlights the availability of robust cryptographic libraries in the system.
Cryptographic libraries are common across most OSes, even in niche OSes. This ransomware is possible from Windows to AROS and everything in between.
An interesting aspect of the ransomware is the use of the “.utkudorukbayraktarheckledi” file extension for encrypted files, a detail that demonstrates the flexibility of Haiku’s file system in handling unconventional file names.
Most file systems are more advanced than FAT16, even in hobbyist OSes; many just use ext2 or FAT32.
The functionality of placing a ransom note in each encrypted folder reveals the ease with which applications in Haiku can navigate and manipulate the directory structure. This aspect could be positively leveraged to develop powerful file management and backup tools.
This is just basic file management!
Developers can now analyze the techniques used and implement effective countermeasures, making the system even more robust.
It just encrypts the home folder. This type of ransomware can happen even on macOS.
Was this article written with an LLM? It’s a lot of words that don’t say anything.
4 Likes
I released v0.2 with some small and big updates. It seems like UEFI/MBR payload didn’t get triggered but Ransomware working, after you restart you can see encrypted files.
1 Like
Haiku needs some sort of root access “sudo” command to restrict important/dangerous operations from such “apps” and other foolishness.
4 Likes
World’s First Haiku Ransomware Destruction - YouTube
Here is the destruction
Did you try having multiple processes running to prevent the user from killing it. It seems far to easy to just power + alt + del and kill process.
1 Like
After he starts, he cause too many crashes and lags so you can’t do anything if you don’t quick.
If user use this maximum one file going to be encrypted from desktop but you can’t see .txt log file for some reason HaikuRansomware/HydraRansomCheck/HydraRansomCheck at main · HydraDragonAntivirus/HaikuRansomware
HaikuOS Ransomware vs HydraRansomCheck - YouTube
VirusTotal - File - 0d47e5dc3362b5826dde8ee9f694c291149c0fd4db8152669bb9a4943a1d95f4
I am going to go against the grain here and just throw in that I don’t think that this changes anything.
Being a single-user all-privileged home user system is part of the core concept of Haiku and this shouldn’t be changed just because of a proof-of-concept piece of malware.
In the real world, ransomware and other cybercrime these days are hitting corporations and nations, because that is where the big insurance and corporate money is; institutions that wouldn’t and shouldn’t use Haiku anyway.
The average personal computer user who is the target audience for Haiku has nothing worth stealing or ransoming on the scale that cybercriminals want. Why risk cybercrime prison time for ransoming 200€ out of an arbitrarily chosen poor person so they can get their family pictures back, when you can risk the same prison time on potentially getting a 20.000.000€ ransom payout by a telecom service?
Cybercriminals do not target the average Haiku user, therefore malware will not be a real world problem outside of esoteric experimental projects like this.
It’s a really cool proof-of-concept but I don’t think we should panic about this, lest change Haiku’s core design for a faux sense of security. GNU, Linux, the BSDs, Windows - they all are used by governments and corporations who actually have to worry about cybercrime. Your average home PC user who uses Haiku does not.
7 Likes
You’ll have to trust me on these statement, but every device has value. Of course not for ransacking money from with ransomware since those only work if you:
A. Really spread it en masse
B. A big coorporation fell for it and is desprate
Just because someone is poor doesn’t mean the data has no value. A single mother of three children also has money, it isn’t much and not worth it, but it is there for those desprate to cash out. It is stupid though.
Real value comes in the computer’s bandwidth and cores. Botnets aren’t cheap. Most botnets do focus on infecting larger Linux servers (especially Debian) since those have the most bandwidth, but consumer computers also often are the target, especially outdate Windows installs, but also modern Windows installs. Every core counts.
2 Likes