Description
For this assignment, you will develop a basic ransomware. Ransomware is a type of malicious software
that is used to block access to the files of a user by encrypting them. Its main goal is to extort money
from users in order to decrypt their files back. The main functionality of the ransomware is to encrypt a
number of files and delete the original unencrypted files. Of course, a proper ransomware would be able
to detect the access control logging system and bypass it. However, for the purposes of this assignment,
you are required to provide only the basic functionality that we ask for.
Step 1: Implement the ransomware
More specifically, you should develop a bash script (named “ransomware.sh”) that demonstrates the
creation, encryption & deletion of a number of files inside a directory in a certain amount of time. More
specifically, you should (1) create/select the files to be encrypted, (2) produce the new, encrypted files,
and finally (3) delete the original files. We strongly suggest creating new text files that will be then
encrypted. Do not risk encrypting and deleting files that you wouldn’t want to lose or corrupt.
Your ransomware should also be able to create a big volume of files, so given a directory as an
argument, it should create X
1
files in that directory. X is also given as an argument.
You can use the OpenSSL binaries for the encryption of the files. Two aes-ecb examples follow, make
sure you use the correct encryption function as parameter and the correct key. In the following
example, the encryption password is “1234”.
Encryption: $ openssl enc -aes-256-ecb -in test.txt -out test.txt.encrypt -k 1234
File deletion: $ rm test.txt
Decryption: $ openssl aes-256-ecb -in test.txt.encrypt -out test.txt -d -k 1234
For more information on the OpenSSL command line tool:
● https://linux.die.net/man/1/openssl
● https://wiki.openssl.org/index.php/Command_Line_Utilities
1 X is an integer number that specifies the number of the files your ransomware must create.
Step 2: Use the Access Control Logging tool from Assignment 42
Your ransomware will make use of the shared library you implemented for Assignment 4 “Access Control
Logging”, named “logger.so”. This means that every access type (create, open or write) will be logged
with an entry in the log file named “file_logging.log”. Therefore, the entries must have the same format
as the previous assignment:
1. UID: The unique user ID assigned by the system to a user (hint: see getuid() function).
2. File name: The path and name of the accessed file.
3. Date: The date that the action occurred.
4. Timestamp: The time that the action occurred.
5. Access type: For file creation, the access type is 0. For file open, the access type is 1. For file
write, the access type is 2.
6. Is-action-denied flag: This field reports if the action was denied to the user with no access
privileges. It is 1 if the action was denied to the user, or 0 otherwise.
7. File fingerprint: The digital fingerprint of the file the time the event occurred. This digital
fingerprint is the hash value of the file contents (hint: You can use the md5 hash functions:
https://www.openssl.org/docs/man1.1.0/man3/MD5_Init.html ).
Events that must be logged:
1. File creation: Every time a user creates a file, the log file must be updated with information
about the creation of the file. Make sure to modify the fopen() function in a way that the
creation of a file can be distinguished from the opening of an existing file.
2. File opening: Every time a user tries to open a file, the log file must be updated with the
corresponding file access attempt information. For this case, fopen() functions need to be
intercepted and information about the user and the file access has to be collected.
3. File modification (write): Every time a user tries to modify a file, the log file will be updated with
the corresponding file modification attempt information. This means that fwrite() functions
need to be intercepted and information about the user and the file access has to be collected.
Every fopen()/fwrite() function should create a new entry in a log file.
Step 3: Detect the ransomware by enriching the Access Control Log
Monitoring tool from Assignment 4
Enrich your Access Control Monitoring tool, named “acmonitor.c”, from Assignment 4 to have the
following extra functionality. The Access Control Monitoring tool will detect the existence of your
ransomware. More specifically:
2 This step only requires to use the logger.so shared library from your previous assignment (Assignment
4).
1. In many cases, a ransomware tries to hide malicious files in directories populated by huge
amounts of files. In this scenario a ransom will create a big volume of files. You need to find if X
files (at minimum) were created in the last 20 minutes.
2. A ransomware will also try to encrypt files and then discard the unencrypted version of those
files. You need to find and report all the events in the log where a ransomware opened an
unencrypted file and created an encrypted one. Remember that encrypted files end with the
suffix “.encrypt”.
Tool Specification
The enriched Access Control Log Monitoring tool (Step 3) will receive the required arguments from the
command line upon execution. Specifically, you should add the (1) -v and the (2) -e
options, and keep the -m, -i, -h options as-is from Assignment 4.
Options
Notes
1. If no appropriate option was given, the Access Control Monitoring tool has to print the
appropriate error message.
2. You need to create a Makefile to compile your library and programs (you must submit it with
your source code) or you can use the one provided to you in the previous assignment
(Assignment 4).
-m Prints malicious users
-i Prints table of users that modified the file given and the number of modifications
-v Prints the total number of files created in the last 20 minutes
-e Prints all the files that were encrypted by the ransomware
-h Help message
3. We do not provide you with a source code corpus, since you have to enrich the source code of
the previous assignment (Assignment 4).
4. You need to create a README with your name, your AM and a short description (1-2
lines) of your implementation.
5. You must submit the following files: README, Makefile, logger.c, logger.so, acmonitor.c,
ransomware.sh
6. You should place all these files in a folder named _assign5 and then compress it as a .zip
file. For example, if your login is 2020123456 the folder should be named 2020123456_assign5
you should commit 2020123456_assign5.zip.
7. Use the tab “Συζήτηση” in courses for questions.
