New User FREE Learning Path

Challenge ACA Cloud Computing for Free

Step 1: Claim the New User Benefit

Step 2: Redeem FREE Clouders to learn

Step 3: Get a FREE ACA Certification Exam

Operate and Manage a Cloud Server

Free

Ransomware Practice Exercise

1. Experiment

1.1 Knowledge points

This experiment shows what happens when an email containing ransomware is opened on an Alibaba Cloud ECS instance with a Windows system.The experiment allows you to better understand the propagation of ransomware.Ransomware is a new kind of computer virus that is mainly spread through emails, program trojans, and webpage trojans.This kind of virus can cause serious harm. If your computer is infected, inestimable losses can occur.Ransomware uses a variety of encryption algorithms to encrypt files, which usually cannot be decrypted by the victim. The only way to decrypt the files is to request the private key from the hackers.

1.2 Experiment process

  • Log on to the attacked host
  • Run the email attachment containing ransomware
  • Verify infection

1.3 Cloud resources required

  • ECS

1.4 Prerequisites

  • If you’re using your own Alibaba Cloud account instead of the account provided by this lab to operate the experiment, please note that you’ll need to choose the same Ubuntu 16.04 operating system for your ECS in order to run the experiment smoothly.
  • Before starting the experiment, please confirm that the previous experiment has been closed normally and exited.

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

image desc.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

image desc

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have two hours to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

openCole

Go to the logon page of Alibaba Cloud console.

image desc

Fill in the sub-user account and click Next.

image desc

Fill in the sub-user password and click Log on.

image desc

After you successfully log on to the console, the following page is displayed.

image desc

3. Log on to the server

3.1 View ECS instances

Click Elastic Computer Service, as shown in the following picture.

image desc

We can see one running ECS instance in the US West 1 region. Click it to go to the ECS console as shown in the following picture.

image desc

You can find an ECS instance with the Windows system.

image desc

3.2 Log on to the Windows instance

As shown in the preceding figure, click Connect for the Windows instance to log on to it remotely.

image desc

Click Modify VNC Password in the upper-right corner.

image desc

Reset the password to Ali123 and click OK, as shown in the following figure.

image desc

Enter your password and click OK.

image desc

In your first logon, the instance is in the Sleep status. Send the command request, as shown in the following figure.

image desc

Enter the administrator account name and password.

Account name: Administrator

Password: nkYHG890..

image desc

image desc

image desc

The logon is successful.

image desc

4. Run the email attachment containing ransomware

Locate the email attachment containing ransomware.Locate the ransomware folder on the desktop and then double-click the file. This simulates the receipt of an email containing ransomware.

image desc

image desc

Right-click the attachment, choose Save As, and save it to the desktop:

image desc

Extract the attachment.Double-click on the archive to enter it and view the file directory, as shown in the following figure:

image desc

Select the file “solidisk_technology_ltd.scr” and press Ctrl+C. Then, press Ctrl+V to paste the file in an empty space on the desktop, as shown in the following figure:

image desc

Double-click to run the file. A Wordpad interface is displayed.(The ransomware is now installed in the screen saver.)

image desc

5. Verify infection

Now, the ransomware is bound to the screen saver program, so you need to enable this program to verify the infection.Chose Start > Control Panel > Display and then “Change screen saver”:

image desc

image desc

In Screen Saver Settings, choose the “Blank” screen saver and click Apply > OK.

image desc

Then, move the cursor to any location on the local PC and wait one minute. After the ransomware runs, it displays this prompt:

image desc

This completes the experiment. We have now seen how ransomware can be run through a screen saver.

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issue when opening a new lab session in the same browser:

image descimage desc

6. Experiment summary

This experiment shows how ransomware contained in an email attachment is run on a Windows system and demonstrates the infection process.This kind of virus is highly targeted and mainly spread via email.To prevent ransomware infection, do not open any emails from those that you do not know. Upgrade your antivirus software for the latest virus library, which will protect against attacks by viruses contained in it. Regularly back up important data and files on your computer to a remote location so that you can recover them if your computer is infected.