forked from p15670423/monkey
Merge pull request #1265 from guardicore/ransomware-encryption-documentation
Add documentation for ransomware
This commit is contained in:
Mike Salvatore
GitHub
commit
33a6e72df5
|
|
@ -0,0 +1,118 @@
|
|||
---
|
||||
title: "Ransomware"
|
||||
date: 2021-06-23T18:13:59+05:30
|
||||
draft: true
|
||||
pre: '<i class="fas fa-lock"></i> '
|
||||
weight: 10
|
||||
---
|
||||
|
||||
The Infection Monkey has the capability of simulating a ransomware attack on your network.
|
||||
All actions performed by the encryption routine are designed to be safe for production
|
||||
environments.
|
||||
|
||||
To ensure minimum interference and easy recoverability, the ransomware simulation will encrypt
|
||||
files only if the user specifies a directory that contains files that are safe to encrypt.
|
||||
If no directory is specified, no files will be encrypted.
|
||||
|
||||
<!-- add config screenshot here -->
|
||||
|
||||
|
||||
## How are the files encrypted?
|
||||
|
||||
Files are "encrypted" in place with a simple bit flip. Encrypted files are renamed to have
|
||||
`.m0nk3y` appended to their names.
|
||||
|
||||
This is a safe way to simulate encryption since it is easy to "decrypt" your files. You can simply perform a bit flip on the files again and rename them to remove the appended `.m0nk3y` extension.
|
||||
|
||||
This is sufficient to mock a ransomware attack on your network as the data in your files has been manipulated (temporarily leaving them unusuable) and are renamed with a different extension, similar to the way that many ransomwares act. As this is a simulation, your security solutions should be triggered to notify and prevent these changes from taking place.
|
||||
|
||||
|
||||
## Which files are encrypted?
|
||||
|
||||
All regular files with [valid extensions](#file-extensions-targeted-for-encryption) in the configured directory are attempted to be encrypted during the simulation.
|
||||
|
||||
The simulation is not recursive, i.e. it will not touch any files in sub-directories of the configured directory. Symlinks and shortcuts are ignored.
|
||||
|
||||
These precautions are taken to prevent the monkey from going rogue and accidentally encrypting files that you didn't intend to encrypt.
|
||||
|
||||
|
||||
## File extensions targeted for encryption
|
||||
|
||||
Encryption attempts are only performed on regular files with the following extensions.
|
||||
|
||||
This list is based on the [analysis of the Goldeneye ransomware by BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/).
|
||||
|
||||
- .3ds
|
||||
- .7z
|
||||
- .accdb
|
||||
- .ai
|
||||
- .asp
|
||||
- .aspx
|
||||
- .avhd
|
||||
- .avi
|
||||
- .back
|
||||
- .bak
|
||||
- .c
|
||||
- .cfg
|
||||
- .conf
|
||||
- .cpp
|
||||
- .cs
|
||||
- .ctl
|
||||
- .dbf
|
||||
- .disk
|
||||
- .djvu
|
||||
- .doc
|
||||
- .docx
|
||||
- .dwg
|
||||
- .eml
|
||||
- .fdb
|
||||
- .giff
|
||||
- .gz
|
||||
- .h
|
||||
- .hdd
|
||||
- .jpg
|
||||
- .jpeg
|
||||
- .kdbx
|
||||
- .mail
|
||||
- .mdb
|
||||
- .mpg
|
||||
- .mpeg
|
||||
- .msg
|
||||
- .nrg
|
||||
- .ora
|
||||
- .ost
|
||||
- .ova
|
||||
- .ovf
|
||||
- .pdf
|
||||
- .php
|
||||
- .pmf
|
||||
- .png
|
||||
- .ppt
|
||||
- .pptx
|
||||
- .pst
|
||||
- .pvi
|
||||
- .py
|
||||
- .pyc
|
||||
- .rar
|
||||
- .rtf
|
||||
- .sln
|
||||
- .sql
|
||||
- .tar
|
||||
- .tiff
|
||||
- .txt
|
||||
- .vbox
|
||||
- .vbs
|
||||
- .vcb
|
||||
- .vdi
|
||||
- .vfd
|
||||
- .vmc
|
||||
- .vmdk
|
||||
- .vmsd
|
||||
- .vmx
|
||||
- .vsdx
|
||||
- .vsv
|
||||
- .work
|
||||
- .xls
|
||||
- .xlsx
|
||||
- .xvd
|
||||
- .zip
|
||||
Loading…
Reference in New Issue