WEBVTT

00:00.080 --> 00:03.260
So previously we covered a number of modules in Empire.

00:03.260 --> 00:06.350
And please note that these are not the only modules that you can run.

00:06.350 --> 00:07.820
Like I said, there are so many.

00:07.820 --> 00:12.170
I'm just focusing on some of the most unique modules to Empire.

00:12.170 --> 00:17.870
And like I said, I'm trying to cover different examples so that in the future you should be able to

00:17.870 --> 00:21.590
pick up any module and be able to use it yourself.

00:21.590 --> 00:27.290
Now, a very interesting module that Empire has built in is the ransomware module.

00:27.290 --> 00:30.620
And before we use that, let's just talk about ransomware for a minute.

00:30.620 --> 00:35.390
You probably already know what it is, but let me just walk you through how ransom works very, very

00:35.390 --> 00:35.990
quickly.

00:36.350 --> 00:42.050
So you have a computer right here, and it's got its normal file system, its normal directories, documents,

00:42.050 --> 00:42.920
downloads, pictures.

00:42.920 --> 00:50.510
Just as an example, once this computer gets infected by a ransomware malware, it's going to encrypt

00:50.510 --> 00:55.340
one of these directories or potentially the whole file system in many cases.

00:55.760 --> 01:01.160
Once it does that, the files that you have will still exist within this directory.

01:01.160 --> 01:05.510
But they are encrypted, so you will not be able to execute them.

01:05.510 --> 01:08.000
If they're pictures, you're not going to be able to see them.

01:08.000 --> 01:11.060
If they're text files are not going to be able to read the text.

01:11.060 --> 01:14.990
It's simply fully encrypted and it's unusable.

01:14.990 --> 01:20.690
And the only way for you to get it back is using the encryption key, which the hacker has.

01:21.140 --> 01:26.840
Therefore, they usually ask you to pay a certain amount of money a ransom.

01:26.840 --> 01:32.510
And if you do pay that, they will give you the key and as a result, you're going to get your file

01:32.540 --> 01:32.990
back.

01:32.990 --> 01:36.860
So if you pay the ransom, you're going to get your file back because they're going to give you the

01:36.860 --> 01:41.270
key which you will use to decrypt the encrypted file.

01:41.270 --> 01:42.860
So file gets encrypted.

01:42.860 --> 01:44.990
Only way to decrypt it is using the key.

01:44.990 --> 01:46.730
And the hacker has the key.

01:47.790 --> 01:50.010
Now you might ask, why am I covering this?

01:50.010 --> 01:53.070
This is definitely not ethical and you are very right.

01:53.070 --> 01:54.600
This is very, very bad.

01:54.600 --> 01:56.040
Nobody should do this.

01:56.040 --> 02:02.130
But the reason why we do it because as a red teamer or a pen tester, you will actually need to know

02:02.130 --> 02:08.460
how to do this because you will be asked if you're working at an environment to run disaster scenarios.

02:08.460 --> 02:13.290
And a very common threat that organizations face these days is ransomware.

02:13.290 --> 02:19.710
So your boss might come into you and ask you to go ahead and infect some computers and run ransomware

02:19.710 --> 02:24.690
on them in order to see how the disaster response team is going to respond to this.

02:24.810 --> 02:28.500
And that's why it is important for you to learn how to do this.

02:28.860 --> 02:31.140
So let's go ahead and do this in practice.

02:31.140 --> 02:36.510
Now I've already compromised a Windows 11 machine in here, this machine right here.

02:36.900 --> 02:40.740
And we're going to go ahead and look for a ransomware module.

02:40.740 --> 02:41.460
Like I said.

02:41.460 --> 02:45.660
And I've said this multiple times now, if you think of anything that you can do on a target machine,

02:45.660 --> 02:48.900
simply look for a module that does that and you will find one.

02:48.900 --> 02:51.480
So we're going to go with this module right here.

02:51.480 --> 02:54.270
And as you can see this one has quite a few options.

02:54.270 --> 02:58.320
And I'm actually going to walk you through them because they are different than other options that you

02:58.320 --> 02:59.880
would see in other modules.

02:59.880 --> 03:03.270
So first of all I'm going to turn on the demo option.

03:03.570 --> 03:10.050
This option is going to remove the wallpaper, make it red, and show a ransomware notification very

03:10.050 --> 03:12.420
similar to actual real ransomware.

03:12.930 --> 03:18.150
We're going to set the mode to encrypt because we want to simulate an actual ransomware attack.

03:18.180 --> 03:21.360
You can set this to decrypt to undo the attack.

03:21.360 --> 03:23.310
And we're going to do that at the end of the video.

03:23.310 --> 03:25.980
So for now we want to simulate an actual attack.

03:25.980 --> 03:28.380
And therefore we're going to be encrypting the files.

03:29.460 --> 03:34.920
The exfiltrate will allow you to download or exfiltrate the files to your command and control server.

03:34.920 --> 03:37.740
We're going to keep this the way it is for now or keep it off.

03:37.740 --> 03:43.350
And next you're going to specify the directory that you're going to encrypt in this attack.

03:43.350 --> 03:49.680
So we're going to set this to C users John documents.

03:50.440 --> 03:55.630
So we're basically encrypting the documents directory that we have in here.

03:55.630 --> 03:57.610
As you can see we have two images.

03:57.610 --> 04:01.780
We have the passwords file that I've already showed you, same one that is in the downloads.

04:01.780 --> 04:05.500
And we also have a file in here that just contain client names.

04:05.500 --> 04:07.570
This is just a sample file as well.

04:07.570 --> 04:12.790
So we're assuming that this is an important directory that contains very important information to the

04:12.790 --> 04:13.390
target.

04:15.180 --> 04:21.000
Next, you have some optional fields where you need to fill in the C2 server, the port if you are going

04:21.000 --> 04:22.530
to exfiltrate the files.

04:22.530 --> 04:25.860
But in here you also have to set the recovery key.

04:25.980 --> 04:31.080
This is the key that's going to be used to encrypt the files so you can put anything you want.

04:31.080 --> 04:33.210
I'm just going to do test test.

04:33.210 --> 04:34.830
And now with that we're happy.

04:34.830 --> 04:36.210
We're going to click submit.

04:36.660 --> 04:40.620
And let's go to the target computer and have a look at what's going to happen.

04:41.130 --> 04:43.230
So as you can see everything went red.

04:43.230 --> 04:46.800
And we got this scary ransomware notification.

04:46.800 --> 04:53.280
So this is great for an actual ransomware simulation because this looks identical to a normal ransomware

04:53.280 --> 04:54.060
attack.

04:54.060 --> 04:57.630
And as you can see, it's telling you that it encrypted your files.

04:57.630 --> 04:59.460
It's telling you that you don't need to worry.

04:59.460 --> 05:02.190
If you pay, you're going to get your files back.

05:02.190 --> 05:07.650
And then if you go ahead and look at the documents, as you can see in here, you can see that all of

05:07.650 --> 05:10.980
the files are encrypted and we're not going to be able to open them.

05:10.980 --> 05:17.310
So even if I, for example, double click the clients file, windows is going to say, I don't know

05:17.310 --> 05:18.480
how to open this file.

05:18.480 --> 05:20.520
We're going to say open it with notepad.

05:20.520 --> 05:26.550
And as you can see you're just going to see gibberish because the file now is encrypted and we do not

05:26.550 --> 05:27.690
have access to it.

05:28.380 --> 05:34.680
So this is great to test your incident response team to see how they would respond to an incident like

05:34.680 --> 05:35.430
this one.

05:36.060 --> 05:41.700
And like I said, as a pentester or a red teamer, you will be asked to simulate such attacks.

05:41.730 --> 05:47.760
Now, there are other tools that allow you to specifically simulate ransomware attacks only, but this

05:47.760 --> 05:51.360
is a really nice feature that we have here embedded within Empire.

05:52.260 --> 05:59.640
Now to undo these changes, and to fix this, you can simply decrypt all of these files using the recovery

05:59.640 --> 06:00.120
key.

06:00.210 --> 06:03.150
You can get that key in here from the tasks.

06:03.150 --> 06:08.130
So if you look at the tasks that you created, most of the time you'll actually find it in here.

06:08.130 --> 06:11.730
But for some reason sometimes you might not find it in here.

06:11.730 --> 06:16.920
And therefore you can actually just go back and you'll have this Readme file inside it.

06:16.920 --> 06:19.440
You will see the recovery key.

06:19.440 --> 06:23.760
So we can copy this key and go back.

06:25.030 --> 06:27.070
Use the same module.

06:27.100 --> 06:28.750
The ransomware module.

06:30.890 --> 06:39.200
And this time, instead of encryption, we're actually going to decrypt the same directory that we encrypted.

06:39.200 --> 06:42.110
So it's C users John.

06:42.110 --> 06:43.010
Documents.

06:44.560 --> 06:48.070
And finally you're going to put the recovery key in here.

06:48.070 --> 06:51.310
Click submit and maybe give it a second.

06:52.930 --> 06:56.200
And you'll see everything is back to the way it was.

06:56.200 --> 07:02.350
And now if we open up the clients file, as you can see, we are able to read its content.

07:02.920 --> 07:09.070
So like I said, there are more ransomware simulators out there that you can use to simulate a ransomware

07:09.070 --> 07:09.820
attack.

07:09.850 --> 07:12.670
This is not really the topic of this course.

07:12.670 --> 07:15.700
We're covering C2 servers that can be used on the cloud.

07:15.700 --> 07:21.280
And the reason why I included this because this is built in within Starkiller and Empire, which is

07:21.280 --> 07:22.720
the C2 that we're covering.

07:22.720 --> 07:27.760
And like I said, it's a very nice, handy feature that it has in there that you can literally launch

07:27.760 --> 07:30.970
and execute with a few clicks, as you saw.