Ransomware Simulation Attack

This is a method by which TSS can test the success or failure of an attack on a company’s network. TSS uses a method that is very powerful, with which we can find the weaknesses of the network, discover the areas of concern, and provide the evidence to the client for immediate remediation.

Tampa Ransomware Simulation Services
Tampa Ransomware Simulation Attack

Ransomware Simulation Attack

Ransomware attacks are the last thing organizations need. Conducting ransomware simulations can help defend against them.

Every organization, no matter how large or small, is vulnerable to ransomware attacks. What can organizations do in the face of this evolving threat? One method: Perform ransomware simulations on themselves. This approach might seem counterintuitive, but it’s a solid, proactive way to fend off an attack.

Tampa Ransomware Simulation Services

Validate Your Controls

Endpoint Controls

Network Controls

Active Directory Controls

SIEM Capabilities

MSP Capabilities

Identify Detection Gaps

Missing Data Sources

Disabled Controls

Configured Controls

Misconfigured Controls

Broken Telemetry Flows

Missing Detections

Incomplete Coverage

Kill Chaing Gaps

Continuos Improvement

After Remediation Reviews

Baseline Progressive Review

Quarterly Updates

Access to ongoing Threat Feeds

How It Works

In order to simulate the behavior of ransomware as accurately as possible, the TSS Process can encrypt user-specified files using a fully reversible algorithm. A number of mechanisms are in place to ensure that all actions performed by the encryption routine are safe for production environments.

Preparing your environment for a ransomware simulation.

The TSS Process will only encrypt files that you allow it to. In order to take full advantage of the TSS Processes ransomware simulation, you’ll need to provide the TSS Process with a directory that contains files that are safe for it to encrypt. The recommended approach is to use a remote administration tool, such as Ansible or PsExec to add a “ransomware target” directory to each machine in your environment. The TSS Process can then be configured to encrypt files in this directory.

How are the files encrypted?

Files are “encrypted” in place with a simple bit flip. Encrypted files are renamed to have .m0nk3y appended to their names. This is a safe way to simulate encryption since it is easy to “decrypt” your files. You can simply perform a bit flip on the files again and rename them to remove the appended .m0nk3y extension.

Flipping a file’s bits is sufficient to simulate the encryption behavior of ransomware, as the data in your files has been manipulated (leaving them temporarily unusable). Files are then renamed with a new extension appended, which is similar to the way that many ransomwares behave. As this is a simulation, your security solutions should be triggered to notify you or prevent these changes from taking place.

Which files are encrypted?

During the ransomware simulation, attempts will be made to encrypt all regular files with targeted file extensions in the configured directory. The simulation is not recursive, i.e. it will not touch any files in sub-directories of the configured directory. The TSS Process will not follow any symlinks or shortcuts.

These precautions are taken to prevent the TSS Process from accidentally encrypting files that you didn’t intend to encrypt.

Files targeted for encryption.

Only regular files with certain extensions are encrypted by the ransomware simulation. This list is based on the analysis of the Goldeneye ransomware by BitDefender.

 

Leaving a README.txt file

Many ransomware packages leave a README.txt file on the victim machine with an explanation of what has occurred and instructions for paying the attacker. The TSS Process will also leave a README.txt file in the target directory on the victim machine in order to replicate this behavior.

The README.txt file informs the user that a ransomware simulation has taken place and that they should contact their administrator. The contents of the file can be found.

Tampa Ransomware Simulation Services

Contact Us

+1 (813) 291-3693 International Calls On WhatsApp

14906 Winding Creek Ct. Ste. 101-D Tampa, FL 33613

Monday - Friday: 9am - 5pm

Get Started

Contact us at info@threatshieldsecurity.com or at +1(813) 291-3693 and one of our consultants will provide additional information.