Docs: Fix formatting of ransomware documentation

This commit is contained in:
Mike Salvatore 2021-06-30 06:49:01 -04:00
parent af5fd8ac9d
commit 0d0d268a64
1 changed files with 41 additions and 17 deletions

View File

@ -6,22 +6,33 @@ pre: '<i class="fas fa-lock"></i> '
weight: 10 weight: 10
--- ---
The Infection Monkey is capable of simulating a ransomware attack on your network using a set of behaviors. The Infection Monkey is capable of simulating a ransomware attack on your
network using a set of behaviors.
#### Encrypting user-specified files #### Encrypting user-specified files
All actions performed by the encryption routine are designed to be safe for production All actions performed by the encryption routine are designed to be safe for
environments. production environments.
To ensure minimum interference and easy recoverability, the ransomware simulation will encrypt To ensure minimum interference and easy recoverability, the ransomware
files only if the user specifies a directory that contains files that are safe to encrypt. simulation will encrypt files only if the user specifies a directory that
If no directory is specified, no files will be encrypted. contains files that are safe to encrypt. If no directory is specified, no
files will be encrypted.
#### Leaving a README.txt file #### Leaving a README.txt file
Many ransomware packages leave a README.txt file on the victim machine with an explanation of what has occurred and instructions for paying the attacker. Infection Monkey can also leave a README.txt file in the target directory on the victim machine in order to replicate this behavior. This can be enabled or disabled by checking the box on the configuration screen. Note that if no target directory is specified for encryption, Infection Monkey will not leave a README.txt file. Many ransomware packages leave a README.txt file on the victim machine with an
explanation of what has occurred and instructions for paying the attacker.
Infection Monkey can also leave a README.txt file in the target directory on
the victim machine in order to replicate this behavior. This can be enabled or
disabled by checking the box on the configuration screen. Note that if no
target directory is specified for encryption, Infection Monkey will not leave a
README.txt file.
<!-- add screenshot highlighting readme option --> <!-- add screenshot highlighting readme option -->
The README.txt file informs the user that a ransomware simulation has taken place and that they should contact their administrator. The contents of the file can be found [here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt). The README.txt file informs the user that a ransomware simulation has taken
place and that they should contact their administrator. The contents of the
file can be found
[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt).
<!-- add config screenshot here --> <!-- add config screenshot here -->
@ -29,28 +40,41 @@ The README.txt file informs the user that a ransomware simulation has taken plac
## How are the files encrypted? ## How are the files encrypted?
Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have Files are "encrypted" in place with a simple bit flip. Encrypted files are
`.m0nk3y` appended to their names. renamed to have `.m0nk3y` appended to their names.
This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension. This is a safe way to simulate encryption since it is easy to "decrypt" your
files. You can simply perform a bit flip on the files again and rename them to
remove the appended `.m0nk3y` extension.
This is sufficient to mock a ransomware attack on your network as the data in your files has been manipulated (temporarily leaving them unusuable) and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place. This is sufficient to mock a ransomware attack on your network as the data in
your files has been manipulated (temporarily leaving them unusuable) and are
renamed with a different extension, similar to the way that many ransomwares
act. As this is a simulation, your security solutions should be triggered to
notify and prevent these changes from taking place.
## Which files are encrypted? ## Which files are encrypted?
All regular files with [valid extensions](#file-extensions-targeted-for-encryption) in the configured directory are attempted to be encrypted during the simulation. All regular files with [valid
extensions](#file-extensions-targeted-for-encryption) in the configured
directory are attempted to be encrypted during the simulation.
The simulation is not recursive, i.e. it will not touch any files in sub-directories of the configured directory. Symlinks and shortcuts are ignored. The simulation is not recursive, i.e. it will not touch any files in
sub-directories of the configured directory. Symlinks and shortcuts are
ignored.
These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt. These precautions are taken to prevent the monkey from going rogue and
accidentally encrypting files that you didn't intend to encrypt.
## File extensions targeted for encryption ## File extensions targeted for encryption
Encryption attempts are only performed on regular files with the following extensions. Encryption attempts are only performed on regular files with the following
extensions.
This list is based on the [analysis of the Goldeneye ransomware by BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/). This list is based on the [analysis of the Goldeneye ransomware by
BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/).
- .3ds - .3ds
- .7z - .7z