diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md index a8f7273ea..c5d28b64b 100644 --- a/docs/content/reference/ransomware.md +++ b/docs/content/reference/ransomware.md @@ -6,41 +6,75 @@ pre: ' ' weight: 10 --- -The Infection Monkey has the capability of simulating a ransomware attack on your network. -All actions performed by the encryption routine are designed to be safe for production -environments. +The Infection Monkey is capable of simulating a ransomware attack on your +network using a set of behaviors. + +#### Encrypting user-specified files +All actions performed by the encryption routine are designed to be safe for +production environments. + +To ensure minimum interference and easy recoverability, the ransomware +simulation will encrypt files only if the user specifies a directory that +contains files that are safe to encrypt. If no directory is specified, no +files will be encrypted. + +#### Leaving a README.txt file +Many ransomware packages leave a README.txt file on the victim machine with an +explanation of what has occurred and instructions for paying the attacker. +Infection Monkey can also leave a README.txt file in the target directory on +the victim machine in order to replicate this behavior. This can be enabled or +disabled by checking the box on the configuration screen. Note that if no +target directory is specified for encryption, Infection Monkey will not leave a +README.txt file. + + + +The README.txt file informs the user that a ransomware simulation has taken +place and that they should contact their administrator. The contents of the +file can be found +[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt). -To ensure minimum interference and easy recoverability, the ransomware simulation will encrypt -files only if the user specifies a directory that contains files that are safe to encrypt. -If no directory is specified, no files will be encrypted. ## How are the files encrypted? -Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have -`.m0nk3y` appended to their names. +Files are "encrypted" in place with a simple bit flip. Encrypted files are +renamed to have `.m0nk3y` appended to their names. -This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension. +This is a safe way to simulate encryption since it is easy to "decrypt" your +files. You can simply perform a bit flip on the files again and rename them to +remove the appended `.m0nk3y` extension. -This is sufficient to mock a ransomware attack on your network as the data in your files has been manipulated (temporarily leaving them unusuable) and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place. +This is sufficient to mock a ransomware attack on your network as the data in +your files has been manipulated (temporarily leaving them unusuable) and are +renamed with a different extension, similar to the way that many ransomwares +act. As this is a simulation, your security solutions should be triggered to +notify and prevent these changes from taking place. ## Which files are encrypted? -All regular files with [valid extensions](#file-extensions-targeted-for-encryption) in the configured directory are attempted to be encrypted during the simulation. +All regular files with [valid +extensions](#file-extensions-targeted-for-encryption) in the configured +directory are attempted to be encrypted during the simulation. -The simulation is not recursive, i.e. it will not touch any files in sub-directories of the configured directory. Symlinks and shortcuts are ignored. +The simulation is not recursive, i.e. it will not touch any files in +sub-directories of the configured directory. Symlinks and shortcuts are +ignored. -These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt. +These precautions are taken to prevent the monkey from going rogue and +accidentally encrypting files that you didn't intend to encrypt. ## File extensions targeted for encryption -Encryption attempts are only performed on regular files with the following extensions. +Encryption attempts are only performed on regular files with the following +extensions. -This list is based on the [analysis of the Goldeneye ransomware by BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/). +This list is based on the [analysis of the Goldeneye ransomware by +BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/). - .3ds - .7z