Ransomware Practice Exercise

1. Experiment

1.1 Knowledge points

This experiment shows what happens when an email containing ransomware is opened on an Alibaba Cloud ECS instance with a Windows system.The experiment allows you to better understand the propagation of ransomware.Ransomware is a new kind of computer virus that is mainly spread through emails, program trojans, and webpage trojans.This kind of virus can cause serious harm. If your computer is infected, inestimable losses can occur.Ransomware uses a variety of encryption algorithms to encrypt files, which usually cannot be decrypted by the victim. The only way to decrypt the files is to request the private key from the hackers.

1.2 Experiment process

• Log on to the attacked host
• Run the email attachment containing ransomware
• Verify infection

1.3 Cloud resources required

• ECS

1.4 Prerequisites

• If you’re using your own Alibaba Cloud account instead of the account provided by this lab to operate the experiment, please note that you’ll need to choose the same Ubuntu 16.04 operating system for your ECS in order to run the experiment smoothly.
• Before starting the experiment, please confirm that the previous experiment has been closed normally and exited.

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have two hours to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

Go to the logon page of Alibaba Cloud console.

Fill in the sub-user account and click Next.

Fill in the sub-user password and click Log on.

After you successfully log on to the console, the following page is displayed.

3. Log on to the server

3.1 View ECS instances

Click Elastic Computer Service, as shown in the following picture.

We can see one running ECS instance in the US West 1 region. Click it to go to the ECS console as shown in the following picture.

You can find an ECS instance with the Windows system.

3.2 Log on to the Windows instance

As shown in the preceding figure, click Connect for the Windows instance to log on to it remotely.

Click Modify VNC Password in the upper-right corner.

Reset the password to Ali123 and click OK, as shown in the following figure.

Enter your password and click OK.

In your first logon, the instance is in the Sleep status. Send the command request, as shown in the following figure.

Enter the administrator account name and password.

Account name: Administrator

Password: nkYHG890..

The logon is successful.

4. Run the email attachment containing ransomware

Locate the email attachment containing ransomware.Locate the ransomware folder on the desktop and then double-click the file. This simulates the receipt of an email containing ransomware.

Right-click the attachment, choose Save As, and save it to the desktop:

Extract the attachment.Double-click on the archive to enter it and view the file directory, as shown in the following figure:

Select the file “solidisk_technology_ltd.scr” and press Ctrl+C. Then, press Ctrl+V to paste the file in an empty space on the desktop, as shown in the following figure:

Double-click to run the file. A Wordpad interface is displayed.(The ransomware is now installed in the screen saver.)

5. Verify infection

Now, the ransomware is bound to the screen saver program, so you need to enable this program to verify the infection.Chose Start > Control Panel > Display and then “Change screen saver”:

In Screen Saver Settings, choose the “Blank” screen saver and click Apply > OK.

Then, move the cursor to any location on the local PC and wait one minute. After the ransomware runs, it displays this prompt:

This completes the experiment. We have now seen how ransomware can be run through a screen saver.

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issue when opening a new lab session in the same browser:

6. Experiment summary

This experiment shows how ransomware contained in an email attachment is run on a Windows system and demonstrates the infection process.This kind of virus is highly targeted and mainly spread via email.To prevent ransomware infection, do not open any emails from those that you do not know. Upgrade your antivirus software for the latest virus library, which will protect against attacks by viruses contained in it. Regularly back up important data and files on your computer to a remote location so that you can recover them if your computer is infected.