Description

As a purple team member, I want a ransomware simulation that actually encrypts some files, so that I can test my EDR systems.

Acceptance Criteria

• All actions performed by the encryption routine are safe for production environments.
• Encryption routine is configured to encrypt files in a user-specified directory.
  • Default is NULL/empty. Encryption will not proceed without a user-specified directory.
• Files are "encrypted" in the user-specified directory.
  • The "encryption" algorithm is a simple bit flip.
  • Any symlinks or shortcuts are explicitly ignored.
  • Ransomware simulation must not perform this action recursively. Only regular files in the user-specified directory are encrypted. Subdirectories are explicitly ignored.
  • Files are encrypted in place.
  • Encrypted files are renamed with a ".m0nk3y" extension
  • Any files that already have a ".m0nk3y" extension are skipped.
• Ransomware telemetry is sent to Monkey Island.
• Only regular files with the following extensions are encrypted. Other files are ignored.
  • .3ds
  • .7z
  • .accdb
  • .ai
  • .asp
  • .aspx
  • .avhd
  • .avi
  • .back
  • .bak
  • .c
  • .cfg
  • .conf
  • .cpp
  • .cs
  • .ctl
  • .dbf
  • .disk
  • .djvu
  • .doc
  • .docx
  • .dwg
  • .eml
  • .fdb
  • .giff
  • .gz
  • .h
  • .hdd
  • .jpg
  • .jpeg
  • .kdbx
  • .mail
  • .mdb
  • .mpg
  • .mpeg
  • .msg
  • .nrg
  • .ora
  • .ost
  • .ova
  • .ovf
  • .pdf
  • .php
  • .pmf
  • .png
  • .ppt
  • .pptx
  • .pst
  • .pvi
  • .py
  • .pyc
  • .rar
  • .rtf
  • .sln
  • .sql
  • .tar
  • .tiff
  • .txt
  • .vbox
  • .vbs
  • .vcb
  • .vdi
  • .vfd
  • .vmc
  • .vmdk
  • .vmsd
  • .vmx
  • .vsdx
  • .vsv
  • .work
  • .xls
  • .xlsx
  • .xvd
  • .zip
• Unit tests are written and provide comprehensive coverage.
• Documentation is written that describes how the encryption functionality behaves.
  • Skip the specifics of how to configure it, as a configuration menu will be added to the UI to handle this.

Tasks

• Create a stubbed out ransomware payload that accepts a ransomware configuration and logs a message and gets called from start(). (0d) - @VakarisZ
• Iterate through the files in the target directory and ignore files without an allowed extension. (0d) - @shreyamalviya
• Add bitflip functionality to ransomware payload (0.25d) - @mssalvatore
  • Read the file one "block" at a time
  • Flip the bits of the block
  • Overwrite the plaintext block in the file with the encrypted block
  • Add a ".m0nk3y" extension to the file after encryption is complete
  • Integrate encryption code with the ransomware stub
• Add checks to bitflip functionality to explicitly ignore symlinks and shortcuts (0d) @mssalvatore
• Send telemetry to island (0) - @shreyamalviya, @mssalvatore
• Write documentation that describes how the encryption functionality behaves. (0d) - @VakarisZ, @shreyamalviya

Notes

Proposed ransomware worm configuration:

  "ransomware": {
    "linux_dir": "/...",
    "windows_dir": "%Temp%/..."
  }

Checking windows shortcuts

It should be sufficient to check whether or not the file ends in .lnk (https://stackoverflow.com/questions/18864004/how-to-check-whether-a-folder-is-a-shortcut-or-not-using-python)

Telemetry

Telemetry will send:

• A list of tuples containing (file_path, error_str)