• John Lundgren

Attack on Demand: BreachBits Ransomware Emulation

Updated: May 28

This guide provides a demonstration and details of the BreachBits Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module.


Ransomware attacks on organizations of all sizes and industries continue to grow in number and impact. While many cyber threat groups have turned to ransomware operations due to how lucrative it can be, there is not a great deal of variety in the techniques attackers use to encrypt the files on a host. After gaining access to a single host or a larger network through lateral movement techniques, attackers will often use a combination of symmetric and asymmetric encryption schemes to encrypt the victim's files, then delete the original versions of each file on the compromised host(s).

More recently, organizations as a whole have been improving their ability to recover from the these attacks by regularly backing up their data. In response, many cyber threat groups employing ransomware tactics are also stealing copies of the files being encrypted and threatening public release of the files, in order to increase the likelihood that a victim organization will pay their ransom.


An attacker has gained initial access to the host you are testing, and now will attempt to encrypt all files the attacker has access to on this host, in order to extort your organization for ransom.

Technical Requirements

The host being tested must meet the following technical requirements:

  • Microsoft Windows 10

Attack Package Description

The BreachBits Ransomware Simulator will first perform some of the most commonly-seen ransomware preparatory tactics, such as checking the operating system language (many groups that execute or provide the tools to execute ransomware campaigns do this to avoid executing campaigns against organizations in their country or region).

Then, the BreachBits Ransomware Simulator will get a full listing of each file and directory that exists on the host, makes a copy of the first 500 files it discovers and stores them in a directory on the Desktop. Next, the copies of the 500 files will be encrypted using a combination of symmetric (AES-256) and asymmetric (RSA) encryption algorithms.

If successful, a pop-up window will launch to notify you that the emulation is complete and that the sample of 500 files have been encrypted.

The files that are encrypted as part of this emulation are only copies of the original files, and can be safely deleted by the emulation upon completion without any data loss or disruption to operations on the host being tested. The one tactic often used by ransomware groups that the BreachBits Ransomware Simulator does not perform is deleting the original versions of these files. While this tactic can be detected by some security solutions, modern ransomware actors typically exfiltrate a victim's files before deleting them, to be able to threaten public release of the files if the ransom is not paid. Therefore, we consider the ransomware emulation to be successful if files on the host are discovered and the sample of 500 are encrypted.

Attack Package Steps

Once the execution script is run (as a normal user or Administrator), the following actions will occur:

  1. Internet connectivity will be tested by attempting to ping www.breachbits.com .

  2. The BreachBits BlueShadow loader will be downloaded from the BreachBits attack infrastructure using one of the following native Windows utilities:

  3. Curl (only available in recent Windows 10 releases)

  4. Powershell

  5. Certutil

  6. Windows utility rundll32.exe will be used to inject the BlueShadow Dynamic Link Library (DLL) into memory.

  7. Read more about this common execution and defense evasion tactic here: https://attack.mitre.org/techniques/T1218/011/

  8. BlueShadow will download the BreachBits Ransomware Simulator.

  9. The BreachBits Ransomware Simulator will check the following configurations:

  10. system language

  11. startup programs

  12. The BreachBits Ransomware Simulator will get a full list of all directories and files accessible to the user on the host, make copies of 500 of these files and store them in a directory on the user's Desktop.

  13. The BreachBits Ransomware Simulator will generate the AES-256 encryption key and the RSA public and private keys.

  14. The BreachBits Ransomware Simulator will encrypt the 500 file copies using a combination of symmetric (AES-256) and asymmetric (RSA) encryption algorithms, which is a common method of encryption by modern ransomware threat groups. These files will be saved as .aes256 filetype.

  15. A pop-up will launch to indicate the emulation is complete, and where the encrypted files are stored.

Results and Next Steps

Detection and disruption of ransomware threats on hosts can be challenging, even for some of today's most advanced endpoint detection solutions. Regardless if your security solution(s) did or did not detect and stop the BreachBits Ransomware Emulation, we recommend:

  • Checking to see if your security solution(s) have any ransomware-specific features that may not be implemented, such as marking particular directories, files, etc. as protected. It is possible this will improve your security solution(s)' ability to detect and stop ransomware attacks.

  • Test hosts in your environment with other tactics that can be used in larger-scope ransomware attacks, such as privilege escalation and lateral movement techniques.

  • Ensure your organization has and executes a data-backup policy, to secure sensitive files in a controlled environment. Practice implementing backups periodically, to ensure the duplicated files are stored correctly and your organization's staff is trained and prepared to restore backups.

11 views0 comments

Recent Posts

See All

Attack on Demand: Darkside Group Ransomware Emulation

This guide provides a demonstration and details of the Darkside Group Ransomware Emulation that is a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. Background In May 2021, a

Attack on Demand: Credential Access using LSASS

This article provides a demonstration and context for the Credential Access using LSASS Attack on Demand packages that are a part of the Continuous Intelligent Red Team (CIRT) Insider Threat module. B