Question: ransomware programs contact their home sites to request a key which they then use to encrypt your data. You then have to pay the hackers to get a copy of the key to decrypt your data. How can we use this setup to test for ransomware if DNS requests never make it pass the Remnux VM?
Have you done this test yet? Curious if the encryption never starts or if the ransomware just encrypts with any random key? It's not like they care about person's data. They might just end all forms of communication to the victim once the payment is made
@@ShantanuBaviskar I experienced this once with a client whose office was infected by ransomware. The virus made its way onto the entire network via an infected USB stick from an employee. First thing the virus did was to contact the hacker's server to request a key which it then used to encrypt all the files on the server. It even encrypted the backup files (this was just before the advent of cloud backup). The ONLY WAY to retrieve the data was to pay off the hackers, they wanted something like 2,000 Euros but I negotiated them down to about 700. They were surprisingly polite and accommodating, but then again this was when ransomware first became a thing a couple of years ago. The minute we paid them in bitcoins, they emailed us the decryption key. After entering the key in the ransomware exe, it immediately decrypted all our files. As I understand it though, if the ransomware exe can't reach its home server for an encryption key, then it simply ends itself because it can't encrypt your files without a key. That's why the first thing to do if you think you've been infected by ransomware is to IMMEDIATELY disconnect the internet connection.
@rootkits I am testing hacking programs like RATs. My home router doesn’t have a VLAN option. So how can I make my VMWARE isolated from the host and networks but still having internet connection?
how do i type in remnux? im pressing keys tried soft keyboard clicked on the remnux command terminal thing , went full screen but yet nothing worked. Can you help?
Sir thank you for the vid. For ransomware this would not work right? since it has to be connected to the internet to retrieve the keys. What would be your recommendation in such a case?
Please show us how you actually download the malware samples. I've seen so many mixed messages for the best way to do this. Shared folders make me uncomfortable. Do you download the samples using a VM with internet access and then remove the network adapter and then analyse the malware with no internet connection? Is there no risk of downloading it first with internet enabled or is it relatively safe as long as the executable is not ran?
Good question, I agree that connections with your host machine whether direct or indirect can be scary. What I would recommend is to create a snapshot (backup image) of the vm state where there is internet access - (during this point you should also download the samples on the vm) and then another snapshot directly afterwards, with no internet access. So essentially, whenever you need to download a new sample, you can revert back to an older snapshot instantly where your vm has internet access, and then you can download a new sample, disable internet, and run the malware.
@@xrootkits Thanks, you could also clarify for others that most malware samples are compressed and password protected so there usually isn't a direct threat until you extract the sample from archive. Even then, the files in the archive have their file extension removed or changed to something so the .exe is not activated upon opening it.
@@BorisJohnsonMayor You're welcome, and yeah that is completely true, I actually made a video on theZoo a while back on my tiktok, one of my first videos actually
When I open remnux from virtualbox, I get an error: "oh no something has gone wrong" "A problem has occurred and the system can't recover" Any solution for this?
Hello could you please tell where you downloaded the malware sample from that you ran in the video ? Would it possible for you to share it? I need it for a malware analysis demonstration for educational purposes.
Your network's logical name won't be enp0s3. type "sudo lshw -C network" to find your netowrk's logical name. So in the video, everytime you see enp0s3, replace it with that. In my case, it was actually ens33. *Please pin it or like it so more people will see.*
If you have any issues or questions feel free to join the discord discord.gg/eZyqp8t
So.. can i run RATS like agenttesla in this?
the file is no longer availble on the site please do an update
Question: ransomware programs contact their home sites to request a key which they then use to encrypt your data. You then have to pay the hackers to get a copy of the key to decrypt your data. How can we use this setup to test for ransomware if DNS requests never make it pass the Remnux VM?
yeah that's something I'm also wondering
Have you done this test yet? Curious if the encryption never starts or if the ransomware just encrypts with any random key? It's not like they care about person's data. They might just end all forms of communication to the victim once the payment is made
@@ShantanuBaviskar please watch the video of computerphile about wannacry (he has two vids) in one of them he explains this quite well.
@@ShantanuBaviskar I experienced this once with a client whose office was infected by ransomware. The virus made its way onto the entire network via an infected USB stick from an employee. First thing the virus did was to contact the hacker's server to request a key which it then used to encrypt all the files on the server. It even encrypted the backup files (this was just before the advent of cloud backup). The ONLY WAY to retrieve the data was to pay off the hackers, they wanted something like 2,000 Euros but I negotiated them down to about 700. They were surprisingly polite and accommodating, but then again this was when ransomware first became a thing a couple of years ago. The minute we paid them in bitcoins, they emailed us the decryption key. After entering the key in the ransomware exe, it immediately decrypted all our files.
As I understand it though, if the ransomware exe can't reach its home server for an encryption key, then it simply ends itself because it can't encrypt your files without a key. That's why the first thing to do if you think you've been infected by ransomware is to IMMEDIATELY disconnect the internet connection.
@@CurtisCT well i do think it depends on the type of malware used... leetcipher has a pretty good tutorial on how malware is written, check him out.
How do you save it at 8:09? I don't understand the keybinds
ctrl+o to save. then ctrl+x to exit out of nano editor
Thanks works fine. Greetings from Italy
awesome guide thanks
@rootkits
I am testing hacking programs like RATs. My home router doesn’t have a VLAN option. So how can I make my VMWARE isolated from the host and networks but still having internet connection?
What extension are you using to change the user agent?
The extension is called "user-agent" and is available for browsers based on Google Chrome and Firefox.
7:02 it isn't installing with me! what can I do?
how do i type in remnux? im pressing keys tried soft keyboard clicked on the remnux command terminal thing , went full screen but yet nothing worked. Can you help?
Sir thank you for the vid. For ransomware this would not work right? since it has to be connected to the internet to retrieve the keys. What would be your recommendation in such a case?
Install VPN on host system? Should be okay?
hello i wanted to ask what distro this is again i like it
Amazing I did it You made my day Thank you!!
today avast keeps showing up and it says that the threat is secured and I can see further and it means that it is malware ,can you help?
Please show us how you actually download the malware samples. I've seen so many mixed messages for the best way to do this. Shared folders make me uncomfortable. Do you download the samples using a VM with internet access and then remove the network adapter and then analyse the malware with no internet connection? Is there no risk of downloading it first with internet enabled or is it relatively safe as long as the executable is not ran?
Good question, I agree that connections with your host machine whether direct or indirect can be scary. What I would recommend is to create a snapshot (backup image) of the vm state where there is internet access - (during this point you should also download the samples on the vm) and then another snapshot directly afterwards, with no internet access. So essentially, whenever you need to download a new sample, you can revert back to an older snapshot instantly where your vm has internet access, and then you can download a new sample, disable internet, and run the malware.
@@xrootkits Thanks, you could also clarify for others that most malware samples are compressed and password protected so there usually isn't a direct threat until you extract the sample from archive. Even then, the files in the archive have their file extension removed or changed to something so the .exe is not activated upon opening it.
@@BorisJohnsonMayor You're welcome, and yeah that is completely true, I actually made a video on theZoo a while back on my tiktok, one of my first videos actually
@@xrootkits If I have windows with admin rights separated from standard user, virus would need my password anyway to make changes right?
When I open remnux from virtualbox, I get an error: "oh no something has gone wrong"
"A problem has occurred and the system can't recover"
Any solution for this?
Many thanks broh
What's your host os
Love how you have a VM named Hannah Montana
Hannah Montana Distro !
It works! Thanks a lot.
How do i load the viruses to the vm
I use a local web server, but you can also create a shared folder in vbox, or enable drag and drop, there are many different ways
Does VMware work for this?
Hello could you please tell where you downloaded the malware sample from that you ran in the video ? Would it possible for you to share it? I need it for a malware analysis demonstration for educational purposes.
are you still around?
Apparently not.
Apparently not.
Apparently not.Apparently not.Apparently not.
😊
thx for soft mate
nice
nice :)
I heard some malwares can sneak into the host pc.
If you turn on your WiFi I think
It can't do it if it's turned off
How much ram do you need to do this
You wouldn't need a lot, you can create a good lab with >8 gigs, but even with 4 you can still create a malware lab
I have 16 GB and have no problems
8 GB here, I have no idea why GDI malware is so fast on Windows 7
Your network's logical name won't be enp0s3. type "sudo lshw -C network" to find your netowrk's logical name. So in the video, everytime you see enp0s3, replace it with that. In my case, it was actually ens33. *Please pin it or like it so more people will see.*
your a manjaro user ?
Yeah, it's an awesome distro imo, love it
@@xrootkits nice i will try arch linux someday
It sucks @@xrootkits
i really just hope the skids dont find this video.