I made my own Ransomware.

Around February last year I wrote a script that would act as a simulation of Ransomware, so I thought I’d write a quick article on how it works.

The script (located here) uses AES Encryption/Decryption written in PowerShell to simulate a ransomware exploit. The configurable parameters allow you to isolate and specify the files that will be encrypted and decrypted.

Configuring System Parameters

This isn’t anything special and will require ExecutionPolicy for PowerShell on the target machine to be set to ‘Bypass’.

Set-ExecutionPolicy -ExecutionPolicy Bypass

Running the Script

Parameters for this script are configured at runtime.

–Mode – parameter has options encrypt and decrypt

-FileTargetPath – (specifying the path)

-Extension – (default == .encrypted)

-Key – (specifying the encryption key, default is within the script file)

Example usage (encryption):

.\RanSimware.ps1 -Mode encrypt -FileTargetPath "C:\TargetPath"

Example usage (decryption):

.\RanSimware.ps1 -Mode decrypt -FileTargetPath "C:\TargetPath"

Deployment Strategies

A good test of SOC capabilities might be to run this as an encoded string, e.g.:

powershell.exe -executionpolicy bypass -NoLogo -NonInteractive -WindowStyle Hidden -encodedCommand "LgAvAFIAYQBuAHMAaQBtAHcAYQByAGUALgBwAHMAMQAgAC0ATQBvAGQAZQAgAGUAbgBjAHIAeQBwAHQAIAAtAEYAaQBsAGUAVABhAHIAZwBlAHQAUABhAHQAaAAgACIAQwA6AFwAVQBzAGUAcgBzAFwAIgA="

This runs it encoded in base64, a form of defense evasion. You can create this by running your command on another system as a variable, creating a variable with the base64 encoding, and finally writing the output to the terminal:

$myCommand = './Ransimware.ps1 -Mode encrypt -FileTargetPath "C:\Users\"'

$Encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($myCommand))

Write-Output $Encoded

The -ExecutionPolicy parameter is explained earlier in this page, however that part won’t need to be run if the script is deployed this way, making any extra work on the target system unnecessary.

The -NoLogo parameter avoids showing the copyright banner on startup.

The -NonInteractive parameter removes any interactive prompt to the user.

The -WindowStyle parameter allows you to choose the window style for this session. Hidden removes the window. There are other options Normal, Minimized, and Maximized.

Executing the command like this in a powershell window will close the window because of the -WindowStyle parameter. Running the command through a shell or other foothold on the device will show no output and will run quietly.

This guide explains the parameters used in the powershell.exe command in a bit more depth: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1