DiskAnalyzer - Ransomware Research POC

I recently conducted a research project on designing a discreet ransomware capable of generating fewer or different filesystem events to bypass certain detections.

My research focused on bypassing the following events:

• Mass renaming with specific extensions
• Opening files followed by writing with high entropy
• Opening files followed by writing with slight size increase (padding for block encryption, adding IV, or encoding to reduce entropy)
• Opening "canary" files followed by writing (accessing these files triggers detection and blocking)
• Writing ransom files or deleting shadow copies

The idea: act directly on the NTFS partition to avoid most detected behaviors. The process:

• Parse the MBR/GPT to identify the partition
• Parse the VBR and then the MFT
• Identify files to encrypt and apply encryption directly on the offsets extracted from the MFT

With this method, I only open \\.\PhysicalDrive0 and add \\.\C if I want to bypass possible BitLocker encryption.

This technique allows me to read files protected by the Windows system or monitored by endpoint protections without triggering alerts or blocking (for example, SAM and SYSTEM to decrypt local user NT hashes with Mimikatz).

Limitations: to write to the system partition, Windows requires obtaining a FSCTL_LOCK_VOLUME. On the main system partition, this lock is not granted, protecting the system from direct writes.

The project extracts and parses the MFT. It could also be used in forensics for "hot" acquisition quickly, without any prerequisites other than Python and the standard library.

You can find the POC code I developed here: https://github.com/mauricelambert/DiskAnalyzer/