p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1284 from guardicore/ransomware-targeted-files 

Ransomware targeted files
This commit is contained in:
Mike Salvatore 2021-06-30 09:51:43 -04:00 committed by GitHub
parent 3fb8c06102 ebab7be32b
commit dcffe2a850
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/content/reference/ransomware.md
View File

@ -56,8 +56,8 @@ notify and prevent these changes from taking place.
## Which files are encrypted? ## Which files are encrypted?
All regular files with [valid All regular files with [targeted file
extensions](#file-extensions-targeted-for-encryption) in the configured extensions](#files-targeted-for-encryption) in the configured
directory are attempted to be encrypted during the simulation. directory are attempted to be encrypted during the simulation.
The simulation is not recursive, i.e. it will not touch any files in The simulation is not recursive, i.e. it will not touch any files in
@ -68,12 +68,10 @@ These precautions are taken to prevent the monkey from going rogue and
accidentally encrypting files that you didn't intend to encrypt. accidentally encrypting files that you didn't intend to encrypt.
## File extensions targeted for encryption ## Files targeted for encryption
Encryption attempts are only performed on regular files with the following Only regular files with certain extensions are encrypted by the ransomware
extensions. simulation. This list is based on the [analysis of the Goldeneye ransomware by
This list is based on the [analysis of the Goldeneye ransomware by
BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/). BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-goldeneye-ransomware-attack/).
- .3ds - .3ds

4
monkey/infection_monkey/ransomware/ransomware_payload.py
View File

@ -6,7 +6,7 @@ from typing import List, Optional, Tuple
from infection_monkey.ransomware.bitflip_encryptor import BitflipEncryptor from infection_monkey.ransomware.bitflip_encryptor import BitflipEncryptor
from infection_monkey.ransomware.file_selectors import select_production_safe_target_files from infection_monkey.ransomware.file_selectors import select_production_safe_target_files
from infection_monkey.ransomware.valid_file_extensions import VALID_FILE_EXTENSIONS_FOR_ENCRYPTION from infection_monkey.ransomware.targeted_file_extensions import TARGETED_FILE_EXTENSIONS
from infection_monkey.telemetry.file_encryption_telem import FileEncryptionTelem from infection_monkey.telemetry.file_encryption_telem import FileEncryptionTelem
from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger from infection_monkey.telemetry.messengers.i_telemetry_messenger import ITelemetryMessenger
from infection_monkey.utils.environment import is_windows_os from infection_monkey.utils.environment import is_windows_os
@ -35,7 +35,7 @@ class RansomwarePayload:
) )
self._new_file_extension = EXTENSION self._new_file_extension = EXTENSION
self._valid_file_extensions_for_encryption = VALID_FILE_EXTENSIONS_FOR_ENCRYPTION.copy() self._valid_file_extensions_for_encryption = TARGETED_FILE_EXTENSIONS.copy()
self._valid_file_extensions_for_encryption.discard(self._new_file_extension) self._valid_file_extensions_for_encryption.discard(self._new_file_extension)
self._encryptor = BitflipEncryptor(chunk_size=CHUNK_SIZE) self._encryptor = BitflipEncryptor(chunk_size=CHUNK_SIZE)

2
monkey/infection_monkey/ransomware/valid_file_extensions.py → monkey/infection_monkey/ransomware/targeted_file_extensions.py
View File

@ -1,4 +1,4 @@
VALID_FILE_EXTENSIONS_FOR_ENCRYPTION = { TARGETED_FILE_EXTENSIONS = {
".3ds", ".3ds",
".7z", ".7z",
".accdb", ".accdb",