Hello, and welcome to this course in which we're talking about using Python for impact. And so here we're using impact in the terms of the mitre attack framework, meaning that the Python code for here is designed to achieve some final objective of the attacker. And there's a variety of different final objectives that an attacker could have. In this case, we're going to be looking at data encryption for impact, which is essentially ransomware. You can create Python files that emulate the core functionality of ransomware. That will encrypt all of the files on a system or a select set of files on the system and not allow decryption unless a certain secret key is provided, ie in exchange for a ransom. And so we're going to look at an example of a simple Python ransomware just designed to encrypt doc files within a particular directory. So we'll start down here at the bottom of the code and our main function. So we're going to use OS dot path dot join to get the directory that we're going to be looking at In this case, we'll use the current working directory. And then, there's a folder inside of that directory called documents, obviously, we could change this directory to be whatever we want it to. We're also going to specify that we only want to encrypt docx files. This is a common protection and ransomware and data encryption malware like this. Because if you encrypt every file on the system, the system is going to break. And then there's no way for the user to receive the ransom note and actually pay you. And so many types of malware ransomware variants are going to include this sort of test for particular document types. This is a bit more restrictive than most, but again, along those same lines, we're then going to use a function that we call gate files to identify the paths of the files in that particular directory. And we have our gate files function to find right up here. So we're going to use path of directory dot our glob to match everything within this directory that matches a particular regular expression. In this case, we want star plus extension, so in this case, anything that ends with a doc X file extension. This is going to create a complete for each, and then return a list of those paths will be stored in our paths variable here, this two paths, we're going to iterate over it. Call an encrypt file function for each one of them and our encrypt file function is defined up here. And so encrypt file will need to access the data within each file that we're going to be encrypting. And so we're going to use the syntax with open file name, in this case, the string version of the path. We're going to want to read as binary, so rb, and then put that file handle that we've created here in F. And then we'll read in all of the data stored in that file with F dot read and store it in a variable called data. With that data, we can then open another file handle to that same directory or file name dot encrypted. In this case, we're going to specify we want to write in binary, and again, open that as F, and we're going to write f dot write the encrypted version of our data. And so our encrypt function is defined up here with the necessary parameters. We're going to be using as in this particular case, and we're going to be using the Cipher-Block-Chaining or CBCBlockCipher mode of operation. And what this means is that In the case where we have data that spans multiple different blocks, which is most data in this case, because a block size is 128 bits or 16 bytes. CBC mode is going to define how we're going to make each block related to one another. And one of the requirements of CBC mode is an initialization vector IV and we've defined or we passed that into our a new function which defines our as site for here. And we've defined both the IV and our secret key right above, so in this case, our secret key that we're using isn't very secure, the phrase 16 by key. And our IV has to be a random byte string of the same size as a block size. So in this case, we can generate one, an IV using OS dot random, and then specify the length that we want in this case 16. And so with the key, the mode of operation and the initialization vector, we can create an instance of the a cipher, and then call cipher dot encrypt to transfer form the contents of the file we've read in into a ciphertext. And so what we'll be doing is iterating over each docx file in the directory that we've specified and encrypting them each using this. And then we'll use this writing code here to write the result to a version of it called start writing code here, a result called that file name dot encrypted very similar to how ransomware would do it. Once we've created that encrypted version of the file, we'll use OS dot remove to delete the original. And so this is very similar to how ransomware, real ransomware works. In fact, we are only missing some of the functionality that's designed to make ransomware hard to deal with. For example, we're not going to touch shadow copies or do anything to help prevent against removal and recovery just in case something goes wrong here. Also since we've specified our key is 16 by key we could recover from this if needed, as long as we know the initialization vector used. And so after we've encrypted all these files, we're going to pretend to be ransomware as well and ask for a decryption code. Now presumably we only get access to this decryption code, if we paid ransom to whoever was operating the malware. Once we have that we're going to read it in with input or strip it to remove ace white space and then test to see if it matches the secret key for decrypting files on the system which is decrypted files. If so we are going to revert each path and the list of paths and decrypt the file at that location. And then once we're done with that we'll break out of our infinite loop here. And so our decrypt file and decrypt functions are the mirror of the encrypted file and encrypt variety. We start out instead by reading in the encrypted file and then we write the decrypted version of the data to the original file name and we remove the encrypted version. Similarly decrypt builds in a cipher instance using the same information as encrypt, and just called cipher dot decrypt instead of cipher dot encrypt. So this is how we're going to be using data encryption for impact. Because presumably once we've finished encryption of all the files to say line 40 here, there's nothing that you can do to recover the files that have been encrypted on the system without paying the ransom and providing the decryption code. In reality, reverse engineering of this program would reveal the variables needed for decryption. There's potential for shadow copies, etc, but this is the heart of a ransomware malware. And so, minimizing this, let's look at the file that we're going to be writing. So this is our documents directory that we're going to be encrypting files in. There's a single file called resume dot docx, which we've opened up here and essentially it's a fake resume. So name, email address, phone number, nothing else, just a simple file that we're going to be decrypting. In this case so I'm going to close this and use the terminal to run our malware file here. So we use Python data encryption.pi to run it, we run encryption has been performed and we see here that resume.docx.encrypted existence that. If we edit this with Notepad ++ we get gibberish, instead of the original DOCX file, that was there previously. Close this up, go back here, and remember that our decryption code is decryptfiles, so, we'll provide that decryption code here. On the command line, hit enter and we see that resume DOCX is restored If I opened this up, it's the exact same file we've successfully decrypted. And since all of the files are decrypted, the malware stops running. So this is a demonstration of how to use data encryption for impact with the definition of impact used by mitre attack. And so as we saw here, the Python code can do everything that ransomware would need to do, including iterating over files, reading in their contents, encrypting them and then undoing all of this at the end. Also, you could probably add additional functionality to this to help protect against the various ways in which this particular script could be overcome. However, this is a good demonstration of the capabilities of Python for data encryption for impact. Thank you.
