Version 2.3.0: Ransomware Emulation

Summary

The purpose of this version is to provide a mechanism for emulating a ransomware attack without writing software that could be used for an actual ransomware attack. Essentially, we wanted a feature that looks and feels like ransomware but that could be easily recovered without significant modification by an adversary. This release provides that functionality.

Release Notes

Features

  • Ransomware Simulation SpecterScript
  • Payload caching service to reduce server load when generating new payloads
  • Significant improvements to the C# obfuscation module

Bug fixes

  • Fixed bug in Lateral Movement with Scheduled Tasks and PowerShell Cradle Commandline.
  • Fixed bug in Lateral Movement Using Service Control Manager and PowerShell Cradle (PSExec) where the service was not deleted.
  • Fixed bug where initial parameters not filled in shown with valid checkmarks.

Screenshots

Ransomware Simulation Script

The new Ransomware Simulation SpecterScript deploys the SpecterCryptor payload using either WMI, Scheduled Tasks, or Services. It will attempt each one in succession until one succeeds or all options are exhausted. The script can either autotarget by pulling computers from Active Directory or by explicit target lists consisting of IPs, domain names, or CIDR ranges.

The screenshot to the right shows the result of deploying to a small domain via CIDR range. Only the systems that were found to be alive are reported.

SpecterCryptor

SpecterCryptor is a ransomware emulation feature of SpecterInsight. The screenshot to the right is the UI for the ransom message and decryptor application. It contains the fictitious ransom message shown as well as links for people new to bitcoin. The UI is based off of a common ransomware family. The Decrypt button works regardless of whether or not a ransom is paid. The intent of this application is to provide a ubiquitous method for decrypting and restoring all encrypted files created during the emulated attack as well as to be a prompt for students or security professionals in a training environment.

Scroll to Top