Validate Your Ransomware Defense with the Infection Monkey

Ransomware is on the rise, but validating the caliber of your defense strategy doesn’t (and shouldn’t) need to wait until a successful breach.

The Infection Monkey v1.11.0 now allows you to simulate ransomware (safely) in a production environment. By mimicking the behavior of real bad actors, IT security can see how far an attack may spread while also testing the responses of tools and teams to a threat scenario. Then, by using the insights you collect from your testing in your decision-making process, you can base your defense strategy on real-world data, not speculation.

Why should you continuously test your ransomware protection?

Checking your baseline security is important, but your environment is highly dynamic like most other organizations, with frequent updates and new additions. Running the Infection Monkey after any change will help you validate that your security configurations and teams are ransomware-ready.

Unleashing a ransomware attack with the Monkey

1. Prepare your environment

To ensure your network’s stability and safety, the Infection Monkey will only encrypt files that you explicitly specify. It uses a fully-reversible algorithm, so you can be sure no data will be lost. However, While the Monkey is built for use in production environments, it’s never recommended to use your original files during the exercise.

In order to make your simulation as accurate as possible, provide the Monkey with a directory that contains files that are safe for it to encrypt. The suggested approach is to use a remote administration tool, such as Ansible or PsExec to add a “ransomware target” directory to each machine in your environment.

2. Configure the Infection Monkey

After you have downloaded and set up the Infection Monkey, you should also take a moment to navigate to the network configuration tab.

These settings will help determine the scope of your attack. Here you can control:

  • Network propagation depth – How many hops from the base machine will the Infection Monkey spread?
  •  Local network scan – Should the Infection Monkey attempt to attack any machine in its subnet? 
  • Scanner IP/subnet list – Which specific IP ranges should the Infection Monkey should try to attack?

Next, it’s time to arm the Monkey and configure the attack! The simulation will only encrypt files in a user-specified directory to ensure minimum interference and easy recoverability.

In the interface, navigate to the ransomware configuration tab, where you can select your targets. If no directory is specified, no files will be encrypted.

Additionally, most ransomware leaves a README.txt file, and, with the Infection Monkey, you now can too (you cheeky monkey)! After the Infection Monkey has encrypted the files in the target directory, it will leave a README.txt file in the target directory that informs the user that a ransomware simulation has taken place.

3. Release the Monkey, encrypt all the things!

Once you start the simulation, the Monkey will attempt to breach and encrypt targeted file extensions in the directory you created on each machine.

The Infection Monkey then renames any files it can get its paws on with a new appended extension, similar to how many ransomware campaigns behave. The encrypted files are renamed to have .m0nk3y appended to their names. This process should trigger your security solutions to notify you or prevent these changes from taking place, so you can observe how they perform.

Several mechanisms are in place to ensure that all actions executed by the encryption routine are safe for production environments. In addition to only encrypting the files you specify, the simulation is not recursive, i.e., it will not touch any files in the sub-directories of the configured directory. The Infection Monkey will also not follow any symlinks or shortcuts.

Assessing your results

After all the monkey business is finished, you’ll find a new report ready for your review that includes:

  • The details on the initial breach
  • How many machines were discovered
  • How many were exploited
  • What exploits were successful
  • What files were encrypted

If you see a large number of discovered and breached machines, it’s a sign your network may be too flat, and you should look into a solution that prevents lateral movement and ransomware propagation through your network.

Don’t forget to look at metrics outside of the Infection Monkey, such as how effectively your team responded and if your security tools detected the simulation.

Ready to simulate a ransomware attack on your network to identify propagation paths and test your organization’s response?

Get the latest Guardicore news

Sign up to read about the latest in cyber security and learn from the Guardicore team with insights about trends and reducing your risk.


Cyber Threat Intelligence

Get unique information on malicious Internet assets – IP addresses and domain – detected by Guardicore.