From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware Builder

The barrier to entry for enterprising cybercriminals has been dropping considerably over recent years, in part due to the availability of RaaS (Ransomware as a Service) offerings on the darknet but also due to publicly-accessible code being shared for free. One such offering is the Slam Ransomware Builder, which had been hosted until recently on Github. In this post, we highlight how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. We provide a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.

Ransomware For “Educational Purposes Only”?

The Slam Ransomware Builder first appeared in late 2021, with Slam ransomware payloads appearing in the wild shortly after (e.g., ConsoleApp2.exe). During mid-2022, downloadable and executable versions of the Slam Ransomware Builder appeared on a publicly-visible repository on Github and were available for several months until Github admins removed the repository on September 1st, 2022.

The owner of the now-removed repository dubbed it “The Most Advanced Free Ransomware Builder” and has a history of providing “educational” videos on Vimeo, Youtube and KZHome, instructing viewers how to build ransomware and “virus payloads”.

Slam ransomware builder video hosted on Vimeo
Source: Slam ransomware builder video hosted on Vimeo

While the author’s public postings contain the usual “for educational purposes only” and “don’t try this” disclaimers to avoid responsibility, they also contain language such as “most advanced ransomware” and “damage rate: destructive”.

Slam ransomware builder video hosted on Youtube
Source: Slam ransomware builder video hosted on Youtube

The author had described the ransomware’s behavior in detail in earlier publicly-posted videos, describing how victim data could be exfiltrated to an attacker-controlled site.

The author’s reasons for distributing free ransomware builders can only be guessed at, but despite being free, the builder and payloads are genuine threats that can cause real damage. As our analysis below shows, Slam is a full-featured ransomware with AES256 encryption, UAC bypass, shadow backup copy deletion and data exfiltration capabilities. In other words, everything needed to lock and steal enterprise data.

Slam Ransomware Builder Features

The most recent release of the Slam ransomware builder prior to being removed from Github was version 1.7. Earlier versions of the tool supported either English or Spanish locales, while later versions including 1.7 allow toggling between the two.

The existing feature set includes the following:

  • Fully customizable ransom notes
  • Custom encryption passphrases
  • All ransomware to lay dormant until a network is available
  • UAC Bypass (1)
  • Run external commands with the ransomware launch
  • VSS/ backup deletion
  • Basic file transfers (HTTP) for exfiltration

Despite the code being removed from Github, it is possible the author intends to find or already has other distribution outlets. A list of features promised for the future include screen locking, MBR overwrites, and “LogonUI overwriting”.

Upon running the code provided on Github, users of the builder are presented with a menu leading to different builder components or indications of their upcoming release.

Version 1.6 of the Slam Ransomware Builder
Version 1.6 of the Slam Ransomware Builder

When choosing the “slam ransomware builder” option, users must first “Install”, then “Start” to launch the builder interface. This installation essentially consists of writing the builder EXE to c:\slam_ransomware_builder\. Any other component requiring an “Install” step will also go to the root of the C drive (e.g., c:\slam_mbr_builder)

Once the main interface is launched, the user is presented with a standard set of options for building their ransomware payloads.

Options including the following are present in this interface:

  • Ransom note name and text
  • Wallpaper modification options and images
  • Affected file extensions
  • File encryption (types / extensions to encrypt)
  • Remote folder options (OneDrive)

The tool provides more ‘Advanced’ configuration options as well. These options are accessible via the “advanced” button.

Options in this section include:

  • Network awareness (remain idle until Wi-Fi is available)
  • Verbose output options (decrypter)
  • Persistence (add to startup)
  • Inhibit recovery (website blocking, self-destruction, backup destruction).

The “block antivirus websites” option is meant to inhibit the victims from being able to download security software or check suspicious files on public malware repository sites such as VirusTotal.

The ransomware achieves this by modifying the device’s Hosts file, adding a long list of sites belonging to the likes of Avast, Avira, Bitdefender, CCleaner, Google, Kaspersky, McAfee, Microsoft, Panda Security, Trend Micro, VirusTotal, YouTube, and others. Each site is simply bound to the machine’s loopback address (typically,, preventing the domain name from being resolved to an external IP address.

Some of the almost 100 domain names added to the Hosts file
Some of the almost 100 domain names added to the Hosts file

With regard to bypasses, the version of Slam we analyzed includes a single UAC bypass, based on UACMe, which attempts to defeat Windows User Account Control by abusing the built-in Windows AutoElevate backdoor. UACMe is a bypass technique that has been known for some years and widely abused by a number of other malware families including Multiplug adware, Dyre, Empercrypt and IcedID.

To exfiltrate victim data, the user can specify an HTTP server in the configuration interface, where a connection test can also be performed. If the connection test fails, an error is displayed. Other options available to the user include USB infection and execution of custom commands when the payload is detonated on the victim machine.

Slam Ransomware Payloads

With all options configured, the executable payloads generated are standard EXE files. The builder outputs both the encryptor and decryptor tools.

When executed with non-Administrator privileges, the UAC prompts and/or configured bypasses will come into play.

Slam payload UAC prompt
Slam payload UAC prompt

Post-execution, the victim device is encrypted according to the options configured in the builder.

The payload is written to %AppData%\Local\discord.exe, which is called in the registry (Run key), ensuring the ransomware payload is persistent.

As advertised, the Slam payload successfully inhibits recovery via removal of VSS backups on an unprotected machine. Both wmic and vssadmin methods are utilized for VSS deletion.

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

wmic shadowcopy delete

The ransomware also deletes various logs, Windows installation and recovery-related files via cleanmgr.exe. In the payload we analyzed, for example, a process named wgMHhFHnkiczPUNfqaA8Cx4kqwVcRG.exe issues the cleanmgr.exe command with the /AUTOCLEAN parameter, which executes Windows disk cleanup and removes Windows installation files on unprotected devices.

\system32\cleanmgr.exe /autoclean /d C:

Slam MBR Builder

The Slam builder also contains a very early stage “Alpha” MBR builder tool. Choosing to “Install” should write start.exe to c:\slam_mbr_builder\start.exe. This does not appear to occur in our testing and analysis, and the feature appears to be non-functional in the version of the Slam Builder we analyzed from Github.

However, we were able to obtain a copy of the builder from another source that allowed us to launch the builder and observe the output.

Slam "Alpha" MBR builder
Slam “Alpha” MBR builder

Within the MBR Builder interface, users are able to configure the message displayed to the victim.

Slam MBR Builder Ransom Note Configuration
Slam MBR Builder Ransom Note Configuration

Prior to executing the build, a final screen allows the attacker to choose the “reboot mode” with the options being

  • Do Nothing
  • BSOD
  • Reboot
  • Shutdown
  • Nothing

Payloads from the MBR builder have been observed in the wild with the following PDB string.



In this area and many others of infosec, there is a fine line between “education” and researcher-led offensive security that seeks to explore and improve weaknesses in enterprise defenses on the one hand, and simple, out-and-out malicious code designed to aid and abet criminal offenses on the other. We see no indications in the various public artifacts around the Slam ransomware builder (code, videos, Github repository) that suggest it could reasonably be interpreted as in the service of the former.

However that may be, once in the hands of unscrupulous actors, full-featured projects such as these represent a real risk to enterprises and organizations.

We applaud Github for removing this code and hope this post serves as a reminder to defenders to be vigilant as threat actors continue to simplify the ransomware-centric extortion process. The barrier to entry into the world of cybercrime has never been lower.

SentinelOne Singularity™ detects and prevents malicious behavior associated with Slam Ransomware and its associated artifacts.

Indicators of Compromise

Observed File Names
JpegMedic ARWE
slam ransomware builder.exe

Observed PDB Strings

C:\Users\ander\source\repos\slam ransomware builder\slam ransomware builder\obj\Debug\slam ransomware builder.pdb

SHA1 Hashes

T1542.003 – Pre-OS Boot: Bootkit
T1047 – Windows Management Instrumentation
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 – Hide Artifacts: Hidden Window
T1112 – Modify Registry
T1490 – Inhibit System Recovery
T1486 – Data Encrypted for Impact
T1491.001 – Defacement: Internal Defacement
T1083 – File and Directory Discovery
T1005 – Data from Local System
T0809 – Data Destruction