Wednesday, June 17, 2020

Whiff - A Simple, Innocuous Ransomware Example


As promised yesterday, today I wanted to share the first piece of innocuous ransomware example that I wrote last week.

Introducing Whiff

The first simple and innocuous illustrative ransomware I wrote is called "Whiff" and it can be downloaded from here.


It was written to be able to programmatically encrypt or decrypt one specific file, and it uses the same password to do so.

This is NOT real ransomware; it is merely a very small piece of software intended to demonstrate how an actual piece of ransomware with similar capabilities could effortlessly and instantly encrypt and decrypt files on organizational computers.


The sole purpose of this sample innocuous illustrative ransomware is to DEMONSTRATE just how quickly and effortlessly someone who could deploy similar ransomware using Active Directory (specifically via Group Policy) could cause files on thousands of machines in an organization to be instantly encrypted.

If you know how to deploy a logon script using Group Policy in Active Directory, then you should have no problem trying it out right away (; Script name: whiff.exe, Parameter: /E .) If you don't know how to deploy a logon script using Group Policy, you'll want to tune back next week, which is when I will provide step-by-step directions on how to do so.


Having been written to illustrate how someone could deploy ransomware using Active Directory, its sole capability is illustrative in nature, and it is specifically programmed to instantly ENCRYPT and DECRYPT a single specific file sample.txt in the location c:\temp.

For your convenience it can also automatically create (and delete) this sample file for you, via the /C (and /X) switch(es).

In case you're wondering why there isn't a "Ransom" payment notice displayed, its because there isn't any actual ransom involved. This is an illustrative piece of ransomware-like-software and you can easily decrypt the file using the /D flag.


whiff.exe provides four simple options -

  • /C   This option will automatically create a timestamped file c:\temp\sample.txt
  • /E   This option will automatically encrypt the c:\temp\sample.txt file
  • /D   This option will automatically decrypt the encrypted version of c:\temp\sample.txt
  • /X   This option will automatically delete the file c:\temp\sample.txt

How to Easily Deploy it Organization-wide using Active Directory

It takes less than one minute to deploy it organization-wide via Active Directory.

If you know how to deploy a logon script using Group Policy in Active Directory, you should have no problem trying it out right away. (Use script whiff.exe, paramter /E, and make sure that a c:\temp directory exists on domain-joined machines.)

If you don't know how to deploy a logon script using Group Policy, or are having difficulty figuring it out, simply check this blog next week as I will be sharing step-by-step instructions on how exactly to do so.

You Can Also Try It Right Away Without Active Directory

In addition to being able to deploy it via Active Directory, you can also instantly try it out on any Windows computer.

Here's how -
  1. Download whiff.exe from here onto any Windows computer.

  2. Create a folder named temp on C:\ on the same computer.
  3. Open a command-prompt, and navigate to the folder where you saved whiff.exe.
  4. Right-click on the whiff.exe file to check and verify its digital signature.
  5. Type whiff /C and click enter to have it automatically create sample.txt in the c:\temp folder.
  6. Navigate to the c:\temp folder, locate the sample.txt file, and open it to review its plaint-text, then close it.

  7. Next, type, whiff /E and click enter to have it instantly encrypt the file.
  8. Now, open c:\temp\sample.txt again ; it will be encrypted.
  9. To decrypt it, type whiff /D and click enter. Open the file to verify that it has been decrypted.
  10. Finally, should you wish to delete the sample.txt file, simply enter whiff /X.

You can also create your own sample.txt file. The /C option also adds a timestamp to the sample file it creates to help you verify that the program did in fact decrypt the same plain-text version that existed prior to your having encrypted the file.

An Innocuous Ransomware Sample

Ransomware poses a serious and real risk to organizations worldwide, and while organizations strive to employ various measures to protect themselves from being victimized, there are hardly any innocuous, trustworthy samples of illustrative ransomware-like-software available for organizations to try "what-if" scenarios and possibilities.

In that regard, whiff.exe is completely innocuous. It is purposefully intended to accomplish just one illustrative objective i.e. to encrypt and decrypt a single, specific trivial file, i.e. one named sample.txt that resides in the c:\temp folder.

It is also digitally signed to ensure its authenticity and integrity, and it thus provides a safe and trustworthy sample of an illustrative ransomware-like-software so organizations can easily and safely try out "what-if" scenarios and possibilities.

To reiterate, whiff.exe is specifically intended to help organizations see for themselves just how easily anyone who has sufficient access in Active Directory to be able to link a GPO to an(y) organizational unit (OU) or the domain root could potentially wreak havoc by using the power of Group Policy to very quickly deploy ransomware across thousands of machines in an organization.

Folder-wide Encryption

As I had indicated, I've written two such pieces of exemplary ransomware. Whiff is the first piece and by intention it can only encrypt (and decrypt) ONE file, which too is a specific temporary/trivial file.

That said, the second piece of exemplary ransomware that I wrote, and which I may share in days/weeks to come, can automatically encrypt thousands or even millions of files in any specifiable file-system folder.

In short, should it be required, we can also demonstrate (to any and every organization that wants to see so) just how easily actual similar ransomware could be deployed onto thousands of computers via Active Directory and result in the almost instantaneous encryption of entire hard-drives containing thousands of folders and millions of files.

For now though, Whiff should be enough to demonstrate this dire possibility, because to the wise, a "whiff" is enough.


PS: Hey Google, define Whiff  for the world.

No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.