New C# Ransomware Compiles Itself at Runtime

From a report: A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

Re:Cross-platform?

[cstacy]

So does it work with Mono, too?

Of course. Mono is a virus.

Re:Cross-platform?

[xxxJonBoyxxx]

>> does it work with Mono

OK, I'll bite. It might work. The implementation uses the "CSharpCodeProvider class" which is included in the handy-dandy ".NET Framework ICodeCompiler compiler execution interface" installed on most Windows boxes. However, Mono also implements ICodeCompiler (http://docs.go-mono.com/index.aspx?link=T%3ASystem.CodeDom.Compiler.ICodeCompiler). The question would be, "why bother" since you'd have to write multi-OS ransomware (covering Mac/Windows/some Linux OS's) anyway to take full advantage of Mono.

I ran into this "anyone can compile C# programs" ability myself a while back when one of my new dev VDIs was locked down to the point that no one could install Visual Studio. So...I just pulled down a portable text editor and then compiled the C# code I wanted through the local .NET Framework tools: the result was instant custom C# programs without having anything more than normal end user "no install" permissions. (You could easily do something similar with gcc or whatnot on Linux too; if the goal is to lock up the current user's files, then anything running as yourself ought to do it.)

Regards,