2021-06-23 22:15:43 +08:00
|
|
|
---
|
2021-07-28 18:25:52 +08:00
|
|
|
title: " Ransomware Simulation"
|
2021-06-23 22:15:43 +08:00
|
|
|
date: 2021-06-23T18:13:59+05:30
|
2021-07-29 22:14:05 +08:00
|
|
|
draft: false
|
2021-07-28 16:07:33 +08:00
|
|
|
description: "Simulate a ransomware attack on your network and assess the potential damage."
|
2021-07-28 18:25:52 +08:00
|
|
|
weight: 1
|
|
|
|
pre: "<i class='fa fa-lock'></i>"
|
2021-06-23 22:15:43 +08:00
|
|
|
---
|
|
|
|
|
2021-06-30 18:49:01 +08:00
|
|
|
The Infection Monkey is capable of simulating a ransomware attack on your
|
2021-06-30 23:37:05 +08:00
|
|
|
network using a set of configurable behaviors.
|
2021-06-29 16:22:10 +08:00
|
|
|
|
2021-06-25 19:07:50 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
## Encryption
|
2021-06-24 17:11:38 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
In order to simulate the behavior of ransomware as accurately as possible,
|
2021-06-30 23:37:05 +08:00
|
|
|
the Infection Monkey can [encrypt user-specified files](#configuring-encryption)
|
2021-06-30 22:10:04 +08:00
|
|
|
using a [fully reversible algorithm](#how-are-the-files-encrypted). A number of
|
|
|
|
mechanisms are in place to ensure that all actions performed by the encryption
|
|
|
|
routine are safe for production environments.
|
2021-06-24 17:11:38 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
### Preparing your environment for a ransomware simulation
|
2021-06-24 17:11:38 +08:00
|
|
|
|
2021-06-30 23:37:05 +08:00
|
|
|
The Infection Monkey will only encrypt files that you allow it to. In
|
|
|
|
order to take full advantage of the Infection Monkey's ransomware simulation, you'll
|
|
|
|
need to provide the Infection Monkey with a directory that contains files that
|
2021-06-30 22:10:04 +08:00
|
|
|
are safe for it to encrypt. The recommended approach is to use a remote
|
|
|
|
administration tool, such as
|
|
|
|
[Ansible](https://docs.ansible.com/ansible/latest/user_guide/) or
|
|
|
|
[PsExec](https://theitbros.com/using-psexec-to-run-commands-remotely/) to add a
|
2021-06-30 23:37:05 +08:00
|
|
|
"ransomware target" directory to each machine in your environment. The Infection
|
2021-06-30 22:10:04 +08:00
|
|
|
Monkey can then be configured to encrypt files in this directory.
|
2021-06-24 17:11:38 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
### Configuring encryption
|
2021-06-23 22:15:43 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
To ensure minimum interference and easy recoverability, the ransomware
|
|
|
|
simulation will only encrypt files contained in a user-specified directory. If
|
|
|
|
no directory is specified, no files will be encrypted.
|
2021-06-23 22:15:43 +08:00
|
|
|
|
2022-08-19 00:47:57 +08:00
|
|
|
Infection Monkey appends the `.m0nk3y` file extension to files that it
|
|
|
|
encrypts. You may optionally provide a custom file extension for Infection
|
|
|
|
Monkey to use instead. You can even provide no file extension, but take
|
|
|
|
caution: you'll no longer be able to tell if the file has been encrypted based
|
|
|
|
on the filename alone!
|
|
|
|
|
2021-07-28 19:16:12 +08:00
|
|
|
![Ransomware configuration](/images/usage/scenarios/ransomware-config.png "Ransomware configuration")
|
2021-06-23 22:15:43 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
### How are the files encrypted?
|
2021-06-23 22:15:43 +08:00
|
|
|
|
2021-06-30 22:10:04 +08:00
|
|
|
Files are "encrypted" in place with a simple bit flip. Encrypted files are
|
2022-08-19 00:47:57 +08:00
|
|
|
renamed to have a file extension (`.m0nk3y` by default) appended to their
|
|
|
|
names. This is a safe way to simulate encryption since it is easy to "decrypt"
|
|
|
|
your files. You can simply perform a bit flip on the files again and rename
|
|
|
|
them to remove the appended `.m0nk3y` extension.
|
2021-06-30 22:10:04 +08:00
|
|
|
|
|
|
|
Flipping a file's bits is sufficient to simulate the encryption behavior of
|
|
|
|
ransomware, as the data in your files has been manipulated (leaving them
|
2022-08-19 21:50:20 +08:00
|
|
|
temporarily unusable). Files are then renamed with a new extension appended,
|
2021-06-30 22:10:04 +08:00
|
|
|
which is similar to the way that many ransomwares behave. As this is a
|
|
|
|
simulation, your
|
|
|
|
security solutions should be triggered to notify you or prevent these changes
|
|
|
|
from taking place.
|
|
|
|
|
|
|
|
### Which files are encrypted?
|
|
|
|
|
|
|
|
During the ransomware simulation, attempts will be made to encrypt all regular
|
|
|
|
files with [targeted file extensions](#files-targeted-for-encryption) in the
|
|
|
|
configured directory. The simulation is not recursive, i.e. it will not touch
|
2021-06-30 23:37:05 +08:00
|
|
|
any files in sub-directories of the configured directory. The Infection Monkey will
|
2021-06-30 22:10:04 +08:00
|
|
|
not follow any symlinks or shortcuts.
|
|
|
|
|
2021-06-30 23:37:05 +08:00
|
|
|
These precautions are taken to prevent the Infection Monkey from accidentally
|
2021-06-30 22:10:04 +08:00
|
|
|
encrypting files that you didn't intend to encrypt.
|
|
|
|
|
|
|
|
### Files targeted for encryption
|
2021-06-23 22:15:43 +08:00
|
|
|
|
2021-06-30 20:41:26 +08:00
|
|
|
Only regular files with certain extensions are encrypted by the ransomware
|
|
|
|
simulation. This list is based on the [analysis of the Goldeneye ransomware by
|
2021-06-30 18:49:01 +08:00
|
|
|
BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/).
|
2021-06-23 22:15:43 +08:00
|
|
|
|
|
|
|
- .3ds
|
|
|
|
- .7z
|
|
|
|
- .accdb
|
|
|
|
- .ai
|
|
|
|
- .asp
|
|
|
|
- .aspx
|
|
|
|
- .avhd
|
|
|
|
- .avi
|
|
|
|
- .back
|
|
|
|
- .bak
|
|
|
|
- .c
|
|
|
|
- .cfg
|
|
|
|
- .conf
|
|
|
|
- .cpp
|
|
|
|
- .cs
|
|
|
|
- .ctl
|
|
|
|
- .dbf
|
|
|
|
- .disk
|
|
|
|
- .djvu
|
|
|
|
- .doc
|
|
|
|
- .docx
|
|
|
|
- .dwg
|
|
|
|
- .eml
|
|
|
|
- .fdb
|
|
|
|
- .giff
|
|
|
|
- .gz
|
|
|
|
- .h
|
|
|
|
- .hdd
|
|
|
|
- .jpg
|
|
|
|
- .jpeg
|
|
|
|
- .kdbx
|
|
|
|
- .mail
|
|
|
|
- .mdb
|
|
|
|
- .mpg
|
|
|
|
- .mpeg
|
|
|
|
- .msg
|
|
|
|
- .nrg
|
|
|
|
- .ora
|
|
|
|
- .ost
|
|
|
|
- .ova
|
|
|
|
- .ovf
|
|
|
|
- .pdf
|
|
|
|
- .php
|
|
|
|
- .pmf
|
|
|
|
- .png
|
|
|
|
- .ppt
|
|
|
|
- .pptx
|
|
|
|
- .pst
|
|
|
|
- .pvi
|
|
|
|
- .py
|
|
|
|
- .pyc
|
|
|
|
- .rar
|
|
|
|
- .rtf
|
|
|
|
- .sln
|
|
|
|
- .sql
|
|
|
|
- .tar
|
|
|
|
- .tiff
|
|
|
|
- .txt
|
|
|
|
- .vbox
|
|
|
|
- .vbs
|
|
|
|
- .vcb
|
|
|
|
- .vdi
|
|
|
|
- .vfd
|
|
|
|
- .vmc
|
|
|
|
- .vmdk
|
|
|
|
- .vmsd
|
|
|
|
- .vmx
|
|
|
|
- .vsdx
|
|
|
|
- .vsv
|
|
|
|
- .work
|
|
|
|
- .xls
|
|
|
|
- .xlsx
|
|
|
|
- .xvd
|
|
|
|
- .zip
|
2021-07-28 19:16:12 +08:00
|
|
|
|
|
|
|
|
|
|
|
## Leaving a README.txt file
|
|
|
|
|
|
|
|
Many ransomware packages leave a README.txt file on the victim machine with an
|
|
|
|
explanation of what has occurred and instructions for paying the attacker.
|
|
|
|
The Infection Monkey will also leave a README.txt file in the target directory on
|
|
|
|
the victim machine in order to replicate this behavior.
|
|
|
|
|
|
|
|
The README.txt file informs the user that a ransomware simulation has taken
|
|
|
|
place and that they should contact their administrator. The contents of the
|
|
|
|
file can be found
|
|
|
|
[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt).
|