How to: Simulating A Ransomware Attack With PowerShell
How can one detect ransomware?
Although it is not a good idea to intentionally install ransomware on your computer, there are methods to replicate its effects. These are the conditions that detection software should look out for:
- One user who renames more than 100 files
- One user who modifies more than 100 files
- 1. and 2. occur in less than 60 seconds
Ransomware will usually encrypt and modify the file extension as soon as the above occurs.
NOTE: Ransomware variants can behave in different ways. These are the most common behavior patterns that have been documented.
This PowerShell script will allow you to replicate the conditions in your lab environment using the following PowerShell script:
This is the breakdown of the script:
- Lines 1 through 3 set the environment.
- Line 1 assigns $strDir to the test directory that will be monitored for a ransomware attack.
- Line 2 empty the test directory, which you don’t probably want to use indiscriminately within a production area. But I do want to do it in my test area
- Line 3 creates 200 text files in $strDir. 1..200 allows you to write all numbers between 1 and 200 inclusive. You can do it in PowerShell. Next, create a file for each number and suppress the output.
- Line 4 simulates ransomware. We create a $strPath variable for 101 files. This is the individual file that we created in line 3. Also, we’re creating a new path in $strNewPath. This is the same file with an extension. Next, I will modify the file’s contents by adding “changed” to it. Finally, I rename it. It is all wrapped in a Measure Command block, so I can track how long it takes.
My previous test showed that the ransomware component took 688 ms.