Testing Ransomware

DustinB3403

@IRJ said in Testing Ransomware:

@DustinB3403 said in Testing Ransomware:

The reason that "testing ransomware" is so dangerous is because no matter how "safe" you are, you still run the risk of causing unintentional damage.

Lacking a better example; Testing condoms to see if they actually stop the HIV virus by having intercourse with someone with the HIV virus.

Sure... you're testing the protection, but what if something goes wrong?

Well if you are testing the condom itself for leaks then you are fine. I wouldn't test it on my body (live system).

But the test is worthless without a whole-system approach; right? So the only true way to know is by doing the test in a real world scenario.

Which no one would willfully do (I would hope)

stacksofplates

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

IRJ

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

stacksofplates

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

IRJ

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

stacksofplates

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

I think it would be too late. You take a "snapshot" of a good config and it makes a database. Then when you run the check it compares the database to the actual files on your system. It's more for systems that don't change at all, like our workstations and hypervisors.

IRJ

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

I think it would be too late. You take a "snapshot" of a good config and it makes a database. Then when you run the check it compares the database to the actual files on your system. It's more for systems that don't change at all, like our workstations and hypervisors.

AlienVault has an agent that checks file integrity and registry changes. Unfortunately you have to deploy an agent. How does the file check on AIDE work for networked systems? Do they need some type of agent?

stacksofplates

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

I think it would be too late. You take a "snapshot" of a good config and it makes a database. Then when you run the check it compares the database to the actual files on your system. It's more for systems that don't change at all, like our workstations and hypervisors.

AlienVault has an agent that checks file integrity and registry changes. Unfortunately you have to deploy an agent. How does the file check on AIDE work for networked systems? Do they need some type of agent?

It all runs locally. You just set up a cron job and it can email out the results.

IRJ

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

I think it would be too late. You take a "snapshot" of a good config and it makes a database. Then when you run the check it compares the database to the actual files on your system. It's more for systems that don't change at all, like our workstations and hypervisors.

AlienVault has an agent that checks file integrity and registry changes. Unfortunately you have to deploy an agent. How does the file check on AIDE work for networked systems? Do they need some type of agent?

It all runs locally. You just set up a cron job and it can email out the results.

Ah, so it monitors the local server. No way to monitor other servers?

stacksofplates

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

@stacksofplates said in Testing Ransomware:

@IRJ said in Testing Ransomware:

How do are you guys testing Ransomware?

I have some rules set up in IDS to shut a system down if it were to get infected. However I am not sure how I can test if this works without creating a major threat on our network.

Can you replicate on a standalone system? Just two VMs, one for the IDS and the other for the ransomware?

That is kind of what I was thinking. I may need to talk to AV support to find out how I can do that for testing.

Ya. Buy a junk drive and just trash it when you're done if you're really concerned. Or just use an old junk drive and trash it.

I saw on your other post, you use AIDE. Would that help detect ransomware, or would it be too late by then?

I think it would be too late. You take a "snapshot" of a good config and it makes a database. Then when you run the check it compares the database to the actual files on your system. It's more for systems that don't change at all, like our workstations and hypervisors.

AlienVault has an agent that checks file integrity and registry changes. Unfortunately you have to deploy an agent. How does the file check on AIDE work for networked systems? Do they need some type of agent?

It all runs locally. You just set up a cron job and it can email out the results.

Ah, so it monitors the local server. No way to monitor other servers?

No. It's just a local service. I mean you could mount directories and such from other systems, but it's just as easy to have it configure during the post install and then start checking on each system.

Shuey

"RanSim"

Ambarishrh

I posted about this recently
https://www.mangolassi.it/topic/11225/ransim-ransomware-simulator

Shuey

@Ambarishrh said in Testing Ransomware:

I posted about this recently
https://www.mangolassi.it/topic/11225/ransim-ransomware-simulator

Right, which is the same thing I just posted above you

Ambarishrh