From 2427393e4aa90a8bb47aa793e2310773a39c5d93 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 30 Jun 2021 08:41:00 -0400 Subject: [PATCH 1/2] Agent: Rename VALID_FILE_EXTENSIONS_FOR_ENCRYPTION --- monkey/infection_monkey/ransomware/ransomware_payload.py | 4 ++-- .../{valid_file_extensions.py => targeted_file_extensions.py} | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) rename monkey/infection_monkey/ransomware/{valid_file_extensions.py => targeted_file_extensions.py} (95%) diff --git a/monkey/infection_monkey/ransomware/ransomware_payload.py b/monkey/infection_monkey/ransomware/ransomware_payload.py index dcc0055de..a3ae684ae 100644 --- a/monkey/infection_monkey/ransomware/ransomware_payload.py +++ b/monkey/infection_monkey/ransomware/ransomware_payload.py @@ -6,7 +6,7 @@ from typing import List, Optional, Tuple from infection_monkey.ransomware.bitflip_encryptor import BitflipEncryptor from infection_monkey.ransomware.file_selectors import select_production_safe_target_files -from infection_monkey.ransomware.valid_file_extensions import VALID_FILE_EXTENSIONS_FOR_ENCRYPTION +from infection_monkey.ransomware.targeted_file_extensions import TARGETED_FILE_EXTENSIONS from infection_monkey.telemetry.file_encryption_telem import FileEncryptionTelem from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger from infection_monkey.utils.environment import is_windows_os @@ -35,7 +35,7 @@ class RansomwarePayload: ) self._new_file_extension = EXTENSION - self._valid_file_extensions_for_encryption = VALID_FILE_EXTENSIONS_FOR_ENCRYPTION.copy() + self._valid_file_extensions_for_encryption = TARGETED_FILE_EXTENSIONS.copy() self._valid_file_extensions_for_encryption.discard(self._new_file_extension) self._encryptor = BitflipEncryptor(chunk_size=CHUNK_SIZE) diff --git a/monkey/infection_monkey/ransomware/valid_file_extensions.py b/monkey/infection_monkey/ransomware/targeted_file_extensions.py similarity index 95% rename from monkey/infection_monkey/ransomware/valid_file_extensions.py rename to monkey/infection_monkey/ransomware/targeted_file_extensions.py index f67a6b761..6c769ad91 100644 --- a/monkey/infection_monkey/ransomware/valid_file_extensions.py +++ b/monkey/infection_monkey/ransomware/targeted_file_extensions.py @@ -1,4 +1,4 @@ -VALID_FILE_EXTENSIONS_FOR_ENCRYPTION = { +TARGETED_FILE_EXTENSIONS = { ".3ds", ".7z", ".accdb", From ebab7be32b0ac0177e0a0488fb2b50021146bd81 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 30 Jun 2021 08:41:26 -0400 Subject: [PATCH 2/2] Docs: Improve language regarding ransomware targeted file extensions --- docs/content/reference/ransomware.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md index c5d28b64b..98d41ad83 100644 --- a/docs/content/reference/ransomware.md +++ b/docs/content/reference/ransomware.md @@ -56,8 +56,8 @@ notify and prevent these changes from taking place. ## Which files are encrypted? -All regular files with [valid -extensions](#file-extensions-targeted-for-encryption) in the configured +All regular files with [targeted file +extensions](#files-targeted-for-encryption) in the configured directory are attempted to be encrypted during the simulation. The simulation is not recursive, i.e. it will not touch any files in @@ -68,12 +68,10 @@ These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt. -## File extensions targeted for encryption +## Files targeted for encryption -Encryption attempts are only performed on regular files with the following -extensions. - -This list is based on the [analysis of the Goldeneye ransomware by +Only regular files with certain extensions are encrypted by the ransomware +simulation. This list is based on the [analysis of the Goldeneye ransomware by BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/). - .3ds