From da204416e6b2fb7ee7468a242f7d2bc11fb30014 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Wed, 23 Jun 2021 19:45:43 +0530
Subject: [PATCH 1/8] docs: Add reference page for ransomware

---
 docs/content/reference/ransomware.md | 116 +++++++++++++++++++++++++++
 1 file changed, 116 insertions(+)
 create mode 100644 docs/content/reference/ransomware.md

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
new file mode 100644
index 000000000..ed76edf34
--- /dev/null
+++ b/docs/content/reference/ransomware.md
@@ -0,0 +1,116 @@
+---
+title: "Ransomware"
+date: 2021-06-23T18:13:59+05:30
+draft: true
+pre: '<i class="fas fa-lock"></i> '
+weight: 10
+---
+
+The Infection Monkey has the capability of simulating a ransomware attack on your network.
+All actions performed by the encryption routine are safe for production environments.
+
+To ensure minimum intereference and easy recoverability, the ransomware simulation will only run if
+it is configured properly. To do so, you must specify the path to a directory in the configuration.
+If no directory is specified, the simulation will not run.
+
+<!-- add config screenshot here -->
+
+## Which files are encrypted?
+
+All regular files with [relevant extensions](#relevant-file-extensions-for-encryption) in the
+configured directory are attempted to be encrypted during the simulation.
+
+The simulation is not recursive, i.e. it will not touch any files in sub-directories of the
+configured directory — only appropriate files in the top level of the tree.
+
+Symlinks and shortcuts are ignored.
+
+
+## How are the files encrypted?
+
+Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
+`.m0nk3y` appended to their names.
+
+To "decrypt" your files, you can simply perform a bit flip on them again.
+
+
+## Relevant file extensions for encryption
+
+Encryption attempts are only performed on regular files with the following extensions.
+
+This list is based on the [analysis of the ??? ransomware by ???]().
+
+- .3ds
+- .7z
+- .accdb
+- .ai
+- .asp
+- .aspx
+- .avhd
+- .avi
+- .back
+- .bak
+- .c
+- .cfg
+- .conf
+- .cpp
+- .cs
+- .ctl
+- .dbf
+- .disk
+- .djvu
+- .doc
+- .docx
+- .dwg
+- .eml
+- .fdb
+- .giff
+- .gz
+- .h
+- .hdd
+- .jpg
+- .jpeg
+- .kdbx
+- .mail
+- .mdb
+- .mpg
+- .mpeg
+- .msg
+- .nrg
+- .ora
+- .ost
+- .ova
+- .ovf
+- .pdf
+- .php
+- .pmf
+- .png
+- .ppt
+- .pptx
+- .pst
+- .pvi
+- .py
+- .pyc
+- .rar
+- .rtf
+- .sln
+- .sql
+- .tar
+- .tiff
+- .txt
+- .vbox
+- .vbs
+- .vcb
+- .vdi
+- .vfd
+- .vmc
+- .vmdk
+- .vmsd
+- .vmx
+- .vsdx
+- .vsv
+- .work
+- .xls
+- .xlsx
+- .xvd
+- .zip

From 91c3a6cb0dc10fe0bb4e03105fe0a4dd1cf448f9 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Thu, 24 Jun 2021 13:19:39 +0530
Subject: [PATCH 2/8] docs: Reword some content on the ransomware page

---
 docs/content/reference/ransomware.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index ed76edf34..7efe56e1a 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -7,11 +7,12 @@ weight: 10
 ---
 
 The Infection Monkey has the capability of simulating a ransomware attack on your network.
-All actions performed by the encryption routine are safe for production environments.
+All actions performed by the encryption routine are designed to be safe for production
+environments.
 
-To ensure minimum intereference and easy recoverability, the ransomware simulation will only run if
-it is configured properly. To do so, you must specify the path to a directory in the configuration.
-If no directory is specified, the simulation will not run.
+To ensure minimum interference and easy recoverability, the ransomware simulation will encrypt
+files if the user specifies a directory that contains files that are safe to encrypt.
+If no directory is specified, no files will be encrypted.
 
 <!-- add config screenshot here -->
 
@@ -38,7 +39,7 @@ To "decrypt" your files, you can simply perform a bit flip on them again.
 
 Encryption attempts are only performed on regular files with the following extensions.
 
-This list is based on the [analysis of the ??? ransomware by ???]().
+This list is based on the [analysis of the Goldeneye ransomware by BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/).
 
 - .3ds
 - .7z

From 97bc0fd2051d0bdeca778bebd76fed875aae1b85 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Thu, 24 Jun 2021 14:41:38 +0530
Subject: [PATCH 3/8] docs: Add more information about the safety and
 sufficiency of the ransomware simulation

---
 docs/content/reference/ransomware.md | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 7efe56e1a..6e6f614d7 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -16,6 +16,16 @@ If no directory is specified, no files will be encrypted.
 
 <!-- add config screenshot here -->
 
+## How are the files encrypted?
+
+Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
+`.m0nk3y` appended to their names.
+
+This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension.
+
+This is sufficient for a ransomware simulation as your files are unusuable and are renamed with a different extension, similar to how many ransomwares act. These changes should trigger your security solutions.
+
+
 ## Which files are encrypted?
 
 All regular files with [relevant extensions](#relevant-file-extensions-for-encryption) in the
@@ -27,14 +37,6 @@ configured directory — only appropriate files in the top level of the tree.
 Symlinks and shortcuts are ignored.
 
 
-## How are the files encrypted?
-
-Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
-`.m0nk3y` appended to their names.
-
-To "decrypt" your files, you can simply perform a bit flip on them again.
-
-
 ## Relevant file extensions for encryption
 
 Encryption attempts are only performed on regular files with the following extensions.

From 3ddde83b5c40a4f06d89927c35332cdbd7560f09 Mon Sep 17 00:00:00 2001
From: Shreya Malviya <shreya.malviya@gmail.com>
Date: Fri, 25 Jun 2021 16:00:49 +0530
Subject: [PATCH 4/8] docs: Reword ransomware introductory description

Add "only" to clarify that encryption will only take place if a directory is specified.

Co-authored-by: Mike Salvatore <mike.s.salvatore@gmail.com>
---
 docs/content/reference/ransomware.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 6e6f614d7..7c263a3e2 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -11,7 +11,7 @@ All actions performed by the encryption routine are designed to be safe for prod
 environments.
 
 To ensure minimum interference and easy recoverability, the ransomware simulation will encrypt
-files if the user specifies a directory that contains files that are safe to encrypt.
+files only if the user specifies a directory that contains files that are safe to encrypt.
 If no directory is specified, no files will be encrypted.
 
 <!-- add config screenshot here -->

From f77d0c28c2e761bd1d0d2764ee82ad3148d623d0 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Fri, 25 Jun 2021 16:22:59 +0530
Subject: [PATCH 5/8] docs: Add note about why ransomware encryption is not
 recursive and ignores shortcuts and symlinks

---
 docs/content/reference/ransomware.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 7c263a3e2..9eb220c54 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -32,9 +32,9 @@ All regular files with [relevant extensions](#relevant-file-extensions-for-encry
 configured directory are attempted to be encrypted during the simulation.
 
 The simulation is not recursive, i.e. it will not touch any files in sub-directories of the
-configured directory — only appropriate files in the top level of the tree.
+configured directory. Symlinks and shortcuts are ignored.
 
-Symlinks and shortcuts are ignored.
+These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt.
 
 
 ## Relevant file extensions for encryption

From 32026f64a447b79a8e944b6c9cb202bf8dc83bf6 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Fri, 25 Jun 2021 16:27:35 +0530
Subject: [PATCH 6/8] docs: Change "relevant extensions" to "targeted
 extensions" in ransomware docs

---
 docs/content/reference/ransomware.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 9eb220c54..77590d021 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -28,16 +28,14 @@ This is sufficient for a ransomware simulation as your files are unusuable and a
 
 ## Which files are encrypted?
 
-All regular files with [relevant extensions](#relevant-file-extensions-for-encryption) in the
-configured directory are attempted to be encrypted during the simulation.
+All regular files with [valid extensions](#file-extensions-targeted-for-encryption) in the configured directory are attempted to be encrypted during the simulation.
 
-The simulation is not recursive, i.e. it will not touch any files in sub-directories of the
-configured directory. Symlinks and shortcuts are ignored.
+The simulation is not recursive, i.e. it will not touch any files in sub-directories of the configured directory. Symlinks and shortcuts are ignored.
 
 These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt.
 
 
-## Relevant file extensions for encryption
+## File extensions targeted for encryption
 
 Encryption attempts are only performed on regular files with the following extensions.
 

From 61d95f52e1cec14a7d399e331889026c4d14cd7d Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Fri, 25 Jun 2021 16:37:50 +0530
Subject: [PATCH 7/8] docs: Reword the paragraph describing why the ransomware
 simulation is good enough

---
 docs/content/reference/ransomware.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index 77590d021..a8d9b265e 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -16,6 +16,7 @@ If no directory is specified, no files will be encrypted.
 
 <!-- add config screenshot here -->
 
+
 ## How are the files encrypted?
 
 Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
@@ -23,7 +24,7 @@ Files are "encrypted" in place with a simple bit flip. Encrypted files are renam
 
 This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension.
 
-This is sufficient for a ransomware simulation as your files are unusuable and are renamed with a different extension, similar to how many ransomwares act. These changes should trigger your security solutions.
+This is sufficient to mock a ransomware attack on your network as your files are left unusuable and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place.
 
 
 ## Which files are encrypted?

From 954cc469cf7cab9c50c18b312fa9741895abd235 Mon Sep 17 00:00:00 2001
From: Shreya <shreya.malviya@gmail.com>
Date: Fri, 25 Jun 2021 19:07:32 +0530
Subject: [PATCH 8/8] docs: Reword paragaraph about why ransomware simulation
 is sufficient

---
 docs/content/reference/ransomware.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/content/reference/ransomware.md b/docs/content/reference/ransomware.md
index a8d9b265e..a8f7273ea 100644
--- a/docs/content/reference/ransomware.md
+++ b/docs/content/reference/ransomware.md
@@ -24,7 +24,7 @@ Files are "encrypted" in place with a simple bit flip. Encrypted files are renam
 
 This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension.
 
-This is sufficient to mock a ransomware attack on your network as your files are left unusuable and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place.
+This is sufficient to mock a ransomware attack on your network as the data in your files has been manipulated (temporarily leaving them unusuable) and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place.
 
 
 ## Which files are encrypted?