A comprehensive collection of ransomware source code and decryptor tools curated for Cyber Threat Intelligence (CTI), malware research, reverse engineering, and academic study.
This repository is intended strictly for educational, research, and defensive cybersecurity purposes. The materials contained herein are provided solely to support the security research community in understanding ransomware behavior, building detections, and developing countermeasures. Unauthorized use of any code in this repository to cause harm, extort, or disrupt systems is illegal and unethical. The repository maintainer assumes no liability for misuse of the content provided.
malwareCTI/
├── Ransomware Source Code/ # 262 ransomware family source code samples
│ ├── 7ev3n/
│ ├── Akira/
│ ├── Babuk/
│ ├── Conti/
│ ├── LockBit/
│ ├── REvil (Sodinokibi)/
│ ├── WannaCry/
│ └── ... (262 families total)
│
└── Ransomware Decryptor Tools/ # 9 publicly available decryptors
├── Akira/
├── BDREvil/
├── Babuk/
├── CoinValt/
├── Rakhni/
├── Rannoh/
├── Rector/
├── Shade/
└── Wildfire/
Contains source code, builders, and binaries for 262 ransomware families spanning over two decades of ransomware evolution — from early proof-of-concept lockers to modern RaaS (Ransomware-as-a-Service) operations.
| Family | Type | Notable For |
|---|---|---|
| WannaCry | Cryptoworm | Global 2017 outbreak, EternalBlue exploit |
| Conti | RaaS | Sophisticated double-extortion group |
| LockBit | RaaS | Most prolific ransomware group 2022–2024 |
| Babuk | RaaS | VMware ESXi & Linux targeting |
| REvil / Sodinokibi | RaaS | Kaseya & JBS supply chain attacks |
| Ryuk | Targeted | Hospital & enterprise targeting |
| Petya / NotPetya | Wiper/Ransomware | Destructive 2017 cyberattack |
| GandCrab | RaaS | Pioneer of modern RaaS model |
| Maze | RaaS | Introduced double extortion |
| BlackCat / ALPHV | RaaS | Rust-based cross-platform ransomware |
| Hive | RaaS | Healthcare sector targeting |
| BlackMatter | RaaS | DarkSide successor |
| Dharma | RaaS | Long-running crimeware family |
| Phobos | RaaS | Widely distributed via RDP |
| TeslaCrypt | Crypto | Gaming sector targeting |
| CryptoLocker | Crypto | Pioneered ransomware-as-a-service |
| Cerber | RaaS | Multi-language ransom notes |
| Locky | Spam-distributed | Massive email campaign distribution |
| Jigsaw | Locker | Deletes files over time |
| Rhysida | RaaS | 2023 healthcare-focused group |
Full list of all 262 families available in the
Ransomware Source Code/directory.
Contains 9 publicly released decryptors from law enforcement operations and security vendor partnerships. These tools can recover files encrypted by specific ransomware variants.
| Decryptor | Source / Notes |
|---|---|
| Akira | Released following infrastructure takedown |
| BDREvil | BlackMatter / DarkSide variant decryptor |
| Babuk | Leaked master keys enabled decryptor creation |
| CoinValt | Early-era ransomware decryptor |
| Rakhni | Kaspersky Lab release |
| Rannoh | Kaspersky Lab release |
| Rector | Kaspersky Lab release |
| Shade / Troldesh | Released by threat actors themselves (2020) |
| Wildfire | No More Ransom project |
- 🔬 Malware Research — Analyze encryption mechanisms, C2 communication patterns, and persistence techniques
- 🛡️ Detection Engineering — Build YARA rules, Sigma rules, and AV signatures
- 🎓 Academic Study — Ransomware evolution, behavioral analysis, taxonomy research
- 🕵️ Threat Intelligence — Understand TTPs mapped to MITRE ATT&CK framework
- 🔓 Incident Response — Reference decryptors for active ransomware incidents
- 🧪 CTF / Red Team Training — Safe educational environment for understanding attack vectors
This collection covers ransomware TTPs across multiple ATT&CK tactics:
| Tactic | Techniques Represented |
|---|---|
| Initial Access | T1566 (Phishing), T1190 (Exploit Public-Facing App) |
| Execution | T1059 (Command & Scripting), T1204 (User Execution) |
| Persistence | T1547 (Boot Autostart), T1053 (Scheduled Task) |
| Defense Evasion | T1562 (Impair Defenses), T1027 (Obfuscated Files) |
| Discovery | T1083 (File Discovery), T1082 (System Info Discovery) |
| Lateral Movement | T1021 (Remote Services), T1570 (Lateral Tool Transfer) |
| Impact | T1486 (Data Encrypted for Impact), T1490 (Inhibit Recovery) |
| Category | Count |
|---|---|
| Ransomware Source Code Families | 262 |
| Decryptor Tools | 9 |
| Time Span | ~2012 – 2024 |
| Ransomware Types | Crypto, Locker, Wiper, RaaS, Worm |
- No More Ransom Project — Free decryption tools
- ID Ransomware — Ransomware identification
- MITRE ATT&CK — Adversary TTP framework
- VirusTotal — Multi-engine malware scanning
- MalwareBazaar — Malware sample repository
- Ransomware.live — Live ransomware tracker
Contributions are welcome for research purposes. If you have:
- New ransomware samples or source code leaks
- Updated decryptors or decryption keys
- Better documentation or analysis for existing families
Please open a pull request or issue.
This repository is maintained for educational and research purposes only. All source code belongs to their respective (often malicious) authors. No license is granted for operational use.
⭐ Star this repo if it helps your research!
Maintained by nycthunter