Created
September 1, 2016 17:12
-
-
Save michaelperna/3679aec9bf9538ca533f5e5180fcb43a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
""" | |
Created by ART, Fortinet Inc. | |
Sample MD5: d8a84048067f2b73fc8bb994bc0abe71 | |
""" | |
import os | |
import sys | |
import hashlib | |
import cStringIO | |
from Crypto import Random | |
from Crypto.Cipher import AES | |
SIGNATURE = 'Dt0x__' | |
PASSWORD = '123456789123456' | |
def derive_key_and_iv(password, salt, key_length, iv_length): | |
d = s = '' | |
while len(d) < key_length + iv_length: | |
s = hashlib.md5(s + password + salt).digest() | |
d += s | |
return d[:key_length], d[key_length:key_length+iv_length] | |
def isEncryptedFile(filename): | |
global SIGNATURE | |
data = open(filename, "rb").read(len(SIGNATURE)) | |
if data==SIGNATURE: | |
return True | |
return False | |
def decrypt(in_file, out_file, password, key_length=32): | |
global SIGNATURE | |
ok = True | |
try: | |
bs = AES.block_size | |
sig_len = len(SIGNATURE) | |
salt = in_file.read(bs)[sig_len:] | |
key, iv = derive_key_and_iv(password, salt, key_length, bs) | |
cipher = AES.new(key, AES.MODE_CBC, iv) | |
finished = False | |
while not finished: | |
chunk = in_file.read(1024 * bs) | |
if len(chunk) == 0 or len(chunk) % bs != 0: | |
padding_length = bs - (len(chunk) % bs) | |
chunk += padding_length * chr(padding_length) | |
finished = True | |
out_file.write(cipher.decrypt(chunk)) | |
except: | |
ok = False | |
return ok | |
def decryptFile(infile): | |
global PASSWORD | |
if isEncryptedFile(infile): | |
print "[*] Found encrypted file: %s", infile | |
outfile = infile + ".decrypted" | |
if decrypt(open(infile, "rb"), open(outfile, "wb"), PASSWORD): | |
print "[+] Decrypt successfully! Store to:", outfile | |
else: | |
print "[-] Decrypt failed!" | |
def decryptFiles(target): | |
if os.path.exists(target): | |
if os.path.isdir(target): | |
for root, dirs, names in os.walk(target): | |
for name in names: | |
filename = os.path.join(root, name) | |
decryptFile(filename) | |
else: | |
decryptFile(target) | |
def bar(): | |
print """Fs0ciety Ransomware Decryption Tool. | |
Written by ART, Fortinet Inc. | |
""" | |
def main(): | |
bar() | |
for target in sys.argv[1:]: | |
decryptFiles(target) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment