Get AI summaries of any video or article — Sign up free
i created malware with Python (it's SCARY easy!!) thumbnail

i created malware with Python (it's SCARY easy!!)

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

The ransomware workflow is built from four steps: enumerate targets, encrypt file contents, write ciphertext back, and manage a persistent key for recovery.

Briefing

A hands-on Python walkthrough demonstrates that basic ransomware can be built with surprisingly little code: it encrypts files in a working directory, demands a “key” (framed as payment), and then uses a separate decryption script to restore data. The core takeaway is mechanical rather than theoretical—once a program can enumerate files, encrypt their contents, and write the ciphertext back, the rest is mostly bookkeeping (key generation, key storage, and excluding certain files so the process doesn’t destroy its own recovery path).

The build starts by setting up a safe, disposable Linux environment—explicitly recommending a cloud Linux instance that can be destroyed afterward. After creating a “ransomware” folder and generating a few sample text files, the walkthrough moves into a Python script (“Voldemort.py”). The script uses the OS library to list items in the current directory, filters out itself so it won’t encrypt the running program, and later adds a second filter to avoid encrypting directories (using os.path.is_file). Once the target list is correct, the encryption step relies on the cryptography library’s Fernet symmetric encryption. A fresh encryption key is generated with Fernet.generate_key(), saved to a local file (“key.key”) in binary form, and then used to encrypt each file’s contents.

To prevent the key file from being encrypted on subsequent runs, the script adds another exclusion rule for “key.key.” After encryption, the plaintext files become unreadable “gobbly cook” ciphertext, illustrating the practical impact of file encryption. A companion script (“decrypt.py”) reverses the process: it loads the saved key from key.key, decrypts each encrypted file back into plaintext, and also excludes decrypt.py itself so it doesn’t get overwritten during restoration. The walkthrough then adds “ransomware-like” theatrics—printing a demand message and requiring a user-entered secret phrase (hardcoded as “coffee”) before decryption proceeds.

The second half shifts from custom ransomware to learning from existing code. It clones a GitHub repository called malware showcase by Patrick (spelled as Patrick in the transcript), which contains Python-based examples of multiple malware categories—worms, Trojans, spyware, adware, ransomware, and file infection patterns. The setup instructions focus on installing Python dependencies via pip3 and a requirements.txt file, then navigating into individual example folders (such as file infection) to inspect and run scripts. The emphasis stays on educational use, with repeated warnings to use throwaway systems and ensure backups.

Overall, the transcript’s central message is that ransomware’s essential workflow—file discovery, encryption, key handling, and recovery gating—can be implemented in a straightforward way in Python, which is precisely why it’s framed as both “scary” and instructive.

Cornell Notes

The walkthrough builds a working ransomware/decryption pair in Python by combining file enumeration, Fernet symmetric encryption, and careful exclusions. It first creates a list of files in a directory, skips the ransomware script itself, and later skips directories and the saved key file (key.key) so recovery remains possible. Encryption writes ciphertext back into the same files, making them unreadable until the key is used. A separate decrypt.py script loads key.key, decrypts each file, and adds a secret-phrase gate (“coffee”) before restoring data. A second section then introduces malware showcase, a GitHub repository of Python examples for studying different malware behaviors.

How does the ransomware script decide which files to encrypt?

It uses os.listdir() to gather directory entries, then filters them. First, it excludes the running script by checking the filename equals Voldemort.py and using continue. Next, it adds a guard using os.path.is_file(file) so only regular files get appended to the targets list—directories like test are excluded. It also excludes key.key so the encryption process doesn’t destroy the recovery key.

What encryption mechanism is used, and how is the key handled?

Encryption uses cryptography’s Fernet. The script generates a key with Fernet.generate_key(), then saves it to a binary file named key.key. During encryption, it creates a Fernet instance with the in-memory key variable and calls encrypt() on each file’s bytes. The key is not printed to the screen; it’s persisted so decrypt.py can load it later.

Why does the script need to exclude key.key from encryption?

If key.key were encrypted along with the other files, decrypt.py would no longer have the correct key material to decrypt the ciphertext. The walkthrough prevents this by adding another conditional exclusion: if file equals key.key, it continues without encrypting that file.

How does decrypt.py restore files, and what prevents it from breaking itself?

decrypt.py reads key.key in binary mode, stores it as secret_key, then iterates through the same directory. For each file, it reads bytes, runs Fernet(secret_key).decrypt() to produce plaintext, and writes the plaintext back to the original file. It also excludes decrypt.py itself (and later adds an exclusion for decrypt.py) so the decryption script isn’t overwritten while it runs.

What extra “ransomware-like” behavior is added beyond encryption/decryption?

The script prints a demand message after encrypting: “Send me 100 Bitcoin or I'll delete them in 24 hours.” The decrypt script adds a user interaction gate: it prompts for a secret phrase and only decrypts if the input matches the hardcoded secret phrase (coffee). Otherwise it prints an error message and leaves files encrypted.

What is malware showcase, and how is it set up for study?

malware showcase is a GitHub repository containing Python-based example malware categories, including adware, droppers, file infections, ransomware, spyware, Trojans, and worms. The walkthrough clones the repo, installs dependencies using pip3 install -r requirements.txt, then navigates into example folders (like file infection) to inspect scripts and run them. It also mentions using a virtual environment (venv) for safer isolation.

Review Questions

  1. What specific checks does the ransomware script perform to avoid encrypting its own code, directories, and the key file?
  2. Describe the end-to-end flow from key generation to file encryption to key-based decryption in the two-script setup.
  3. How does the secret-phrase requirement change the behavior of decrypt.py compared with a plain “decrypt everything” utility?

Key Points

  1. 1

    The ransomware workflow is built from four steps: enumerate targets, encrypt file contents, write ciphertext back, and manage a persistent key for recovery.

  2. 2

    Correct target selection matters: excluding the ransomware script (Voldemort.py), skipping directories via os.path.is_file(), and excluding key.key prevents self-destruction and preserves decryptability.

  3. 3

    Fernet symmetric encryption from the cryptography library is used to transform file bytes into ciphertext that cannot be read without the key.

  4. 4

    The decryption script mirrors the encryption logic: it loads key.key, decrypts each encrypted file, and writes plaintext back to the same filenames.

  5. 5

    A simple user gate (secret phrase “coffee”) is added to decrypt.py to mimic the coercive control seen in real ransomware.

  6. 6

    A separate learning path uses the GitHub repository malware showcase to study Python implementations of multiple malware categories via cloned code and pip-installed dependencies.

Highlights

The encryption step relies on cryptography’s Fernet: generate a key, encrypt file bytes, and overwrite the original files with ciphertext.
The walkthrough repeatedly emphasizes exclusions—Voldemort.py, directories, and key.key—because encrypting the wrong targets breaks recovery.
decrypt.py loads key.key in binary mode and uses Fernet(secret_key).decrypt() to restore plaintext, then writes it back to the same files.
The “ransomware” feel is amplified with a demand message and a hardcoded secret phrase check before decryption runs.
The malware showcase repository is positioned as a catalog of Python examples (worms, Trojans, spyware, adware, ransomware) meant for code study on disposable systems.

Topics

  • Python Ransomware
  • Fernet Encryption
  • Key Management
  • Malware Showcase
  • File Enumeration

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library