Tip of the Week – A Free Tool For Testing Anti-Ransomware Defenses

Written by Nathan Studebaker | October 18, 2016

We have written two PowerShell scripts that function just like ransomware. One script encrypts the data, and the other script decrypts the data using a public/private key pair. We created these as a tool so that you can test your defenses against actual ransomware. The purpose of the decrypter is to ensure that your files aren't permanently destroyed.

Here is an overview of how it works.

###USE AT YOUR OWN RISK - THESE SCRIPTS ARE PROVIDED FREE OF CHARGE - WATCHPOINT DOES NOT PROVIDE SUPPORT FOR THESE SCRIPTS. THIS IS A FREE TOOL FOR TESTING PURPOSES ONLY. DO NOT RUN IN A PRODUCTION ENVIRONMENT.###

The network drives are enumerated and sorted in descending order.
The lowest drive letter will be attacked. This gives you the ability to control what shares are affected. In my testing environments, I use the drive letter Z as my ‘attack’ drive.
All files are discovered. Only files are discovered, folders are excluded.
Each file is encrypted with the Public key of our certificate. You will need a certificate for this to work and I’ve included all the necessary steps below.
After all of the files have been encrypted, the script exits.

The decryption script does the same thing, except that it decrypts files instead of encrypting them. The script also makes a copy of every file before it encrypts them. It stores the copy in env:temp. It should go without saying, but please make sure you have a good backup before running this simulation, as the files will be encrypted. Make sure that you have permission. WatchPoint is not responisble for any outcome of running these scripts. If you know what you're doing then it's safe, if not then please don't do it!

Here are the steps to run the ransomware simulation:

The Environment:

Workgroups are not supported, so you must have a functional windows domain.
CryptoStopper is a server based application. To run the simulation you'll need a Windows server and a Windows workstation. Again, both on the same domain.
Two user accounts. Separate user accounts should be used on the workstation and the server.
A folder and some files. Ideally, in addition to a shared folder, the target share will contain at least one folder and some target files. Populating the share with some dummy files will more closely simulate a real environment and make for a better test. Within the zip file you'll find a random file generator script. You can use it to populate your share with data.
When testing the PowerShell script against CryptoStopper, be sure to select the entire shared folder. One advantage of using CryptoStopper is that it provides unavoidable protection for the network share. By selecting the root of the share, and all of the subfolders, you're setting an unavoidable trap for ransomware.

The simulation:

As mentioned previously, you’re going to need a test computer from which to run the simulation. In my example, I am using a Windows 8 computer, but Windows 7 and Windows 10 will work just fine.

Make sure that you have a good backup.
Double check that you do indeed have a good backup.
Before we can run the script, we have to provide it a certificate to use. The certificate is identified by its unique thumbprint. Here are the steps to get that thumbprint.
1. To check if the computer has a certificate installed, open PowerShell as an administrator.
2. Enter the following command: Get-childitem cert:\currentuser\my

c. If you have already have a certificate, then you’ll see output similar to the one below. If so, proceed to step 4. Otherwise keep following the steps to create a certificate.

d. Follow these steps if you don’t have a certificate.

i. Open mmc.exe.

ii. File > Add/Remove Snap-In > Certificates > My user account > Finish > Ok.

iii. Expand certificates > Personal > Certificates.

iv. All tasks > request new certificate.

v. Next > Next at Active Directory Enrollment >

vi. Checkbox for User > Enroll

vii. Now, let's check for the thumbprint again. From an admin PowerShell prompt type; get-childitem cert:\currentuser\my

viii. You should see output similar to this:

4. Now we need to copy the thumbprint id so we can use it in both the encryption and decryption script.

5. Copy the thumbprint id to the PowerShell scripts, see below:

Before:

After:

6. Next, map a drive to the server share that we want to run the simulated attack against. It’s important to know that the PowerShell scripts attack the lowest drive letter. I always map the Z: drive to the share that I am testing.

7. Now let’s create a test file on the Z: drive and enter some text. This text should be encrypted after we run our test.

8. It’s time to run the PowerShell ransomware/encryption script. Right click and select ‘Run with PowerShell.'

9. You should immediately start seeing output like this:

10. Now let’s check our plain text file. As you’ll see it’s not clear-text anymore, which means the encryption worked!

But did our defenses work? Only you can answer that question, but if you had CryptoStopper, then it definitely did!

11. Next we use the decrypt, to decrypt our files. Just like before, right-click and select ‘Run with PowerShell.'

12. Presto! The original file is back!

On a side note, and as I mentioned earlier, the script makes a copy of every file it encrypts to the env:temp directory, aka C:\users\username\AppData\Local\Temp. So if you didn’t heed the warnings in steps 1 and 2, then you can check this directory for a copy of the files, just in case the decryption didn’t work.

That’s it. You now have a simple and effective way to test the security of your network against a simulated ransomware attack. And because we have the decrypter, you can undo the affects of the ransomware attack. Feel free to put CryptoStopper to the test by downloading a free trial.

View full post