search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.62k stars 772 forks source link

Readme.txt.monkey blocks file encryption #1304

Closed VakarisZ closed 3 years ago

VakarisZ commented 3 years ago

Describe the bug

If a README.txt.monkey file is present in the ransomware target directory the encryption of the files fail with {'path': 'C:\\w\\Dump\\README.txt', 'success': False, 'error': "[WinError 183] Cannot create a file when that file already exists: 'C:\\\\w\\\\Dump\\\\README.txt' -> 'C:\\\\w\\\\Dump\\\\README.txt.m0nk3y'"}

To Reproduce

Steps to reproduce the behavior:

  1. Create a directory and add some files
  2. Enter a the directory as a ransomware target dir into the configuration
  3. Run monkey 3 times in a row (or create a README.txt.m0nk3y file)
  4. On the third run, monkey will throw an error and files won't get encrypted

Expected behavior

Monkey shouldn't encrypt README.txt and README.txt.m0nk3y files

Machine version (please complete the following information):

Tasks

mssalvatore commented 3 years ago

This appears to be working as designed. Files ending in .m0nk3y are already ignored. It attempts to rename the file and fails, giving you an error message as to why. If we don't encrypt existing README.txt files, this could mean we would overwrite a user's data with our README.txt. For example, if the target directory contains source code, it may already contain a README.txt. If we don't encrypt that file and rename it with .m0nk3y, then we'll potentially overwrite it with our own README, making the original data unrecoverable.

We could check the hash of any README.txt file and skip it if it's ours.