But how does one test for ransomware detection?
While it is ill advised to purposely install ransomware, there are ways to emulate its effects. Conditions that detection software look for include:
- A user that renames more than 100 files
- A user that modifies more than 100 files
- 1 and 2 happen in under 60 seconds
Once the above happens, ransomware will usually encrypt, modify and append the file extension very quickly.
NOTE: Many ransomware variants behave in many different ways. The conditions listed above are the more common behaviors documented.
The following PowerShell script can be used to emulate the above conditions within your lab environment:
The breakdown of this script is as follows:
- Lines 1, 2 and 3 setup the environment.
- Line 1 assigns $strDir with the the test directory to be monitored for ransomware attacks
- Line 2 empties the test directory which you probably don’t want to do indiscriminately in a production area but I want to do in my test area
- Line 3 creates 200 txt files in $strDir. 1..200 is a slick way of writing all the numbers between 1 and 200 inclusive. Try it yourself in a PowerShell console. Then, for each of those numbers, we’re creating a file and suppressing the output.
- Line 4 simulates the ransomware condition. For 101 files, we’re making a variable $strPath which is an individual file we created in line 3. We’re also crafting a new path stored in $strNewPath which is the same file but with an extension. Then I’m changing the contents of the file by writing “changed” inside it. Finally, I rename the file. The whole thing is wrapped in a Measure-Command block so I can see how long it takes.
During my previous test the ransomware part took 688 ms.
Test this in lab for yourself and see if you can detect this simulated ransomware attack.
Tom is a sysadmin who likes blogging. His blog is not a promotional tool for any service but wants it to be learnings and tales from a real sysadmin.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…