Linux LotL Ransomware

Discover the current users home directory. Generate a random password string. Use the built-in zip tool to recursively zip the discovered folder into a password-protected archive. Drop and open a ransom note.

TTP Tuesday: Ransomware (Release 1)

Linux Ransomware using Live off the Land (LotL) Tools

Theme Overview

Our current theme is ransomware, focusing on scenarios where threats use live off the land (LotL) binaries and custom payloads to accomplish their objectives. The ransomware theme will contain the following kill-chains:

1. Linux Ransomware using Live off the Land (LotL) Tools (Current Release)
2. Windows Ransomware using Live off the Land (LotL) Tools
3. Linux Ransomware using Custom Tools
4. Windows Ransomware using Custom Tools

Linux Ransomware using Live off the Land (LotL) Tools

This week's kill chain focuses on using native binaries available in Kali (Debian) Linux in order to perform a ransomware attack. We discover the current user's home directory and recursively compress it with the zip binary and a randomly generated password.

Watch a demonstration: Linux LotL Ransomware

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:
See the latest kill chain and TTP Releases:
See our open-source repositories:

Join our community


Read, watch, and listen

Listen to our Podcast:
Read our blog:
Watch our live streams:
Watch our pre-recorded content:

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Get user's home directory
Create a random password string
Encrypt directories with zip
Leave encrypted data recovery note


ransomware, wizard spider