Lab 13: Malware Types

🎯 Objective

Understand malware classifications, simulate ransomware behavior safely using base64 encoding, identify Indicators of Compromise (IOCs), and implement defense layers against malware.

📚 Background

Malware (malicious software) is any software intentionally designed to cause harm, gain unauthorized access, or disrupt computer operations. The malware ecosystem is vast and continuously evolving — what started as simple viruses spread by floppy disks has grown into a multi-billion dollar criminal industry with sophisticated ransomware groups, state-sponsored APTs, and malware-as-a-service platforms.

Understanding malware categories helps security professionals make appropriate detection and response decisions. A ransomware incident requires different immediate actions than a rootkit discovery or a cryptocurrency miner. Each type has distinct behaviors, persistence mechanisms, and indicators that enable detection.

Indicators of Compromise (IOCs) are forensic artifacts that indicate a system has likely been compromised. They include file hashes, IP addresses, domain names, registry keys, and behavioral patterns. IOC sharing through platforms like MISP and threat intelligence feeds enables the security community to rapidly deploy defenses against new threats.

⏱️ Estimated Time

45 minutes

📋 Prerequisites

Basic Python programming
Understanding of operating system concepts

🛠️ Tools Used

python3 — malware simulation
base64 — encoding (safe ransomware simulation)

🔬 Lab Instructions

Step 1: Malware Classification

python3 << 'EOF'
malware_types = {
    "Virus": {
        "definition": "Self-replicating code that attaches to legitimate programs/files",
        "propagation": "Spreads when infected files are shared/executed",
        "damage": "File corruption, data destruction, system instability",
        "famous": "ILOVEYOU (2000), Melissa (1999), CIH/Chernobyl (1998)",
        "detection": "File hash changes, signature detection, behavioral analysis",
        "key_trait": "Requires user to execute infected file to spread"
    },
    "Worm": {
        "definition": "Self-replicating malware that spreads WITHOUT user action",
        "propagation": "Exploits network vulnerabilities, network shares, email",
        "damage": "Network flooding, payload delivery, backdoor installation",
        "famous": "WannaCry (2017), NotPetya (2017), CodeRed (2001), Morris Worm (1988)",
        "detection": "Unusual network traffic, repeated connection attempts",
        "key_trait": "Autonomous spread — no user action needed"
    },
    "Trojan": {
        "definition": "Malware disguised as legitimate software",
        "propagation": "User downloads and runs thinking it's legitimate software",
        "damage": "Backdoor access, credential theft, data exfiltration",
        "famous": "Zeus (banking trojan), Emotet, DarkComet RAT",
        "detection": "Behavioral analysis, suspicious network connections",
        "key_trait": "Doesn't self-replicate — social engineering required"
    },
    "Ransomware": {
        "definition": "Encrypts victim files and demands payment for decryption key",
        "propagation": "Phishing, RDP exploitation, supply chain compromise",
        "damage": "Business disruption, data loss if no backup, ransom payment",
        "famous": "WannaCry, REvil, LockBit, Conti, DarkSide (Colonial Pipeline)",
        "detection": "Mass file modifications, ransom notes, unusual encryption activity",
        "key_trait": "Monetization via extortion — double extortion now common"
    },
    "Rootkit": {
        "definition": "Hides itself and other malware from OS and security tools",
        "propagation": "Usually delivered after initial compromise to maintain stealth",
        "damage": "Persistent undetected access, hides other malware",
        "famous": "Sony BMG rootkit (2005), Stuxnet rootkit, Necurs",
        "detection": "Memory forensics, offline scanning, behavior analysis",
        "key_trait": "Operates at kernel/boot level — very hard to detect"
    },
    "Spyware/Stalkerware": {
        "definition": "Secretly monitors and collects user information",
        "propagation": "Bundled with freeware, drive-by downloads",
        "damage": "Credential theft, privacy violation, identity theft",
        "famous": "FinFisher, Pegasus (nation-state spyware), keyloggers",
        "detection": "Unusual outbound traffic, unexpected processes",
        "key_trait": "Stealth collection without disrupting normal operations"
    },
    "Botnet/RAT": {
        "definition": "Network of infected machines controlled by attacker (C2)",
        "propagation": "Various — drive-by downloads, spam, exploitation",
        "damage": "DDoS, spam sending, credential theft, further malware deployment",
        "famous": "Mirai (IoT botnet), Emotet, TrickBot, BazarLoader",
        "detection": "C2 beaconing traffic, unusual outbound connections",
        "key_trait": "Remote administration — attacker controls many systems centrally"
    },
    "Cryptominer": {
        "definition": "Uses victim's computing resources to mine cryptocurrency",
        "propagation": "Exploits, drive-by downloads, supply chain attacks",
        "damage": "CPU/GPU degradation, electricity costs, system slowdown",
        "famous": "XMRig (Monero miner), Coinhive (browser-based)",
        "detection": "High CPU usage, unusual process names, outbound pool traffic",
        "key_trait": "Financial motive without disruption — often runs silently"
    }
}

print("MALWARE CLASSIFICATION REFERENCE")
print("=" * 70)
for malware_type, info in malware_types.items():
    print(f"\n{'─'*70}")
    print(f"TYPE: {malware_type}")
    print(f"  Definition:  {info['definition']}")
    print(f"  Spreads via: {info['propagation']}")
    print(f"  Key trait:   {info['key_trait']}")
    print(f"  Famous:      {info['famous']}")
    print(f"  Detect via:  {info['detection']}")
EOF

📸 Verified Output:

MALWARE CLASSIFICATION REFERENCE
======================================================================

──────────────────────────────────────────────────────────────────────
TYPE: Virus
  Definition:  Self-replicating code that attaches to legitimate programs/files
  Spreads via: Spreads when infected files are shared/executed
  Key trait:   Requires user to execute infected file to spread
  Famous:      ILOVEYOU (2000), Melissa (1999), CIH/Chernobyl (1998)
...

💡 What this means: Each malware type has distinct characteristics that drive different defensive responses. Worms require network controls; trojans require endpoint and email controls; rootkits require memory forensics.

Step 2: Ransomware Behavior Simulation (Safe Demo)

python3 << 'EOF'
import base64
import os
import json
from datetime import datetime

# SAFE RANSOMWARE SIMULATION
# Uses base64 encoding instead of real encryption
# All files created in /tmp/ransomware-demo only

print("RANSOMWARE BEHAVIOR SIMULATION (SAFE DEMO)")
print("=" * 55)
print("NOTE: This uses base64 encoding, NOT real encryption")
print("      Educational demo only - all files in /tmp")
print()

# Setup: Create victim files
demo_dir = "/tmp/ransomware-demo"
os.makedirs(demo_dir, exist_ok=True)

victim_files = {
    "report_Q1_2026.txt": "Q1 2026 Financial Report\nRevenue: $5.2M\nExpenses: $3.1M",
    "customer_data.csv": "Name,Email,Phone\nAlice Smith,[email protected],555-1234\nBob Jones,[email protected],555-5678",
    "project_plan.txt": "Project Aurora - Phase 1\nDeadline: March 15, 2026\nBudget: $500,000",
}

print("PHASE 1: CREATING VICTIM FILES")
for filename, content in victim_files.items():
    filepath = os.path.join(demo_dir, filename)
    with open(filepath, 'w') as f:
        f.write(content)
    print(f"  Created: {filename} ({len(content)} bytes)")

print()
print("PHASE 2: RANSOMWARE 'ENCRYPTION' (base64 simulation)")
encrypted_key = "SIMULATED-AES-KEY-" + base64.b64encode(os.urandom(16)).decode()
print(f"  Attacker's 'unique victim key': {encrypted_key[:40]}...")
print()

encrypted_files = []
for filename in os.listdir(demo_dir):
    if not filename.endswith('.locked'):
        filepath = os.path.join(demo_dir, filename)
        with open(filepath, 'rb') as f:
            original_data = f.read()
        
        # Simulate encryption with base64
        encoded_data = base64.b64encode(original_data)
        
        # Write "encrypted" file with .locked extension
        locked_filepath = filepath + '.locked'
        with open(locked_filepath, 'wb') as f:
            f.write(encoded_data)
        
        # Delete original
        os.remove(filepath)
        encrypted_files.append(filename)
        print(f"  'Encrypted': {filename} -> {filename}.locked")

print()
print("PHASE 3: RANSOM NOTE DROPPED")
ransom_note = f"""
YOUR FILES HAVE BEEN ENCRYPTED!

All your important files (documents, photos, databases) have been encrypted
with military-grade AES-256 encryption.

To recover your files, you must pay 0.5 BTC to:
  Bitcoin address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf...

After payment, email your victim ID to: [email protected]
  YOUR VICTIM ID: {encrypted_key[:20]}

YOU HAVE 72 HOURS. After that, the price doubles.
After 7 days, your data will be PERMANENTLY DELETED.

DO NOT attempt to decrypt files yourself - this will destroy them.
DO NOT contact law enforcement - we will know.

Files affected: {len(encrypted_files)} files
Encrypted at: {datetime.now().isoformat()}
"""
ransom_note_path = os.path.join(demo_dir, "README_DECRYPT.txt")
with open(ransom_note_path, 'w') as f:
    f.write(ransom_note)
print(f"  Ransom note: README_DECRYPT.txt")
print()
print("  State of victim's files:")
for f in os.listdir(demo_dir):
    path = os.path.join(demo_dir, f)
    print(f"  {'🔒' if f.endswith('.locked') else '📄'} {f} ({os.path.getsize(path)} bytes)")

print()
print("PHASE 4: RECOVERY SIMULATION")
print("  Fortunately we have BACKUPS! Decoding files...")
for filename in os.listdir(demo_dir):
    if filename.endswith('.locked'):
        locked_path = os.path.join(demo_dir, filename)
        original_name = filename[:-7]  # Remove .locked
        with open(locked_path, 'rb') as f:
            encoded_data = f.read()
        # "Decrypt" (decode base64)
        original_data = base64.b64decode(encoded_data)
        recovered_path = os.path.join(demo_dir, "RECOVERED_" + original_name)
        with open(recovered_path, 'wb') as f:
            f.write(original_data)
        print(f"  Recovered: {original_name}")

import shutil
shutil.rmtree(demo_dir)
print()
print("Demo cleanup complete. Temp files removed.")
EOF

📸 Verified Output:

RANSOMWARE BEHAVIOR SIMULATION (SAFE DEMO)
=======================================================
NOTE: This uses base64 encoding, NOT real encryption

PHASE 1: CREATING VICTIM FILES
  Created: report_Q1_2026.txt (62 bytes)
  Created: customer_data.csv (90 bytes)
  Created: project_plan.txt (75 bytes)

PHASE 2: RANSOMWARE 'ENCRYPTION' (base64 simulation)
  Attacker's 'unique victim key': SIMULATED-AES-KEY-...

  'Encrypted': report_Q1_2026.txt -> report_Q1_2026.txt.locked

PHASE 3: RANSOM NOTE DROPPED
  Ransom note: README_DECRYPT.txt

  State of victim's files:
  🔒 report_Q1_2026.txt.locked (84 bytes)
  📄 README_DECRYPT.txt (890 bytes)

PHASE 4: RECOVERY SIMULATION
  Recovered: report_Q1_2026.txt

💡 What this means: Real ransomware works identically — replacing original files with encrypted versions and dropping a ransom note. The ONLY reliable recovery without paying is having offline backups that ransomware can't reach.

Step 3: Indicators of Compromise (IOCs)

python3 << 'EOF'
print("INDICATORS OF COMPROMISE (IOC) TYPES")
print("=" * 60)

ioc_types = {
    "File Hashes (MD5, SHA-256)": {
        "description": "Cryptographic fingerprints of malware files",
        "example": "SHA256: 44d88612fea8a8f36de82e1278abb02f",
        "strength": "Very specific - changes if attacker modifies one byte",
        "weakness": "Easily evaded by slight file modification (polymorphic malware)",
        "use": "Scan endpoints for known-bad file hashes"
    },
    "IP Addresses": {
        "description": "IP addresses of C2 servers, distribution servers",
        "example": "C2 server: 198.51.100.42",
        "strength": "Can block at network level (firewall, DNS sinkhole)",
        "weakness": "Attackers change IPs frequently, use CDNs or bulletproof hosting",
        "use": "Block in firewall, alert in SIEM on connections"
    },
    "Domain Names": {
        "description": "Domains used for C2, phishing, malware distribution",
        "example": "evil-update-service.com, payload-delivery.net",
        "strength": "Longer-lived than IPs, easier to block",
        "weakness": "Attackers use DGA (Domain Generation Algorithms) to evade",
        "use": "DNS filtering, threat intelligence blocking"
    },
    "Registry Keys": {
        "description": "Windows registry modifications for persistence",
        "example": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\evil_malware",
        "strength": "Persistent — survives reboots",
        "weakness": "Attackers use legitimate key locations to blend in",
        "use": "Monitor for new Run keys, startup changes"
    },
    "Network Signatures": {
        "description": "Unique patterns in network traffic (C2 beaconing patterns)",
        "example": "HTTP User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MALWARE-FAMILY)",
        "strength": "Behavioral — catches unknown malware variants",
        "weakness": "Encrypted C2 (HTTPS) harder to signature",
        "use": "IDS/IPS rules, network traffic analysis"
    },
    "File Paths/Names": {
        "description": "Characteristic file locations used by malware families",
        "example": "%APPDATA%\\roaming\\svch0st.exe",
        "strength": "Easy to detect and hunt for",
        "weakness": "Easily changed in new variants",
        "use": "File integrity monitoring, endpoint detection"
    },
    "YARA Rules": {
        "description": "Pattern-matching rules that detect malware families",
        "example": "rule detect_wannacry { strings: $kill_switch = 'www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com' condition: all of them }",
        "strength": "Flexible, can detect variants based on code patterns",
        "weakness": "Requires ongoing maintenance as malware evolves",
        "use": "Scan files, memory, network traffic"
    },
}

for ioc_type, info in ioc_types.items():
    print(f"\n📍 {ioc_type}")
    print(f"   Description: {info['description']}")
    print(f"   Example:     {info['example'][:70]}")
    print(f"   Strength:    {info['strength']}")
    print(f"   Weakness:    {info['weakness']}")
    print(f"   Usage:       {info['use']}")

print("\n" + "=" * 60)
print("IOC SHARING PLATFORMS:")
platforms = ["MISP (Malware Information Sharing Platform)", "VirusTotal", "AlienVault OTX", "Recorded Future", "Mandiant Advantage"]
for p in platforms:
    print(f"  • {p}")
EOF

📸 Verified Output:

INDICATORS OF COMPROMISE (IOC) TYPES
============================================================

📍 File Hashes (MD5, SHA-256)
   Description: Cryptographic fingerprints of malware files
   Example:     SHA256: 44d88612fea8a8f36de82e1278abb02f
   Strength:    Very specific - changes if attacker modifies one byte
   Weakness:    Easily evaded by slight file modification

💡 What this means: The "Pyramid of Pain" (by David Bianco) ranks IOCs by how painful they are for attackers to change. Hashes are easy to change; TTPs (tactics, techniques, procedures) are hardest — focus on detecting behaviors, not just artifacts.

Step 4: Malware Analysis Techniques Overview

python3 << 'EOF'
print("MALWARE ANALYSIS TECHNIQUES")
print("=" * 60)

techniques = [
    {
        "name": "Static Analysis",
        "description": "Examining malware without executing it",
        "tools": ["strings (extract text)", "file (file type)", "hexdump (hex view)", "objdump/IDA Pro (disassembly)", "YARA (pattern matching)"],
        "finds": "File hashes, embedded strings, imports, code structure",
        "risk": "No execution risk - safe to run on any machine",
    },
    {
        "name": "Dynamic Analysis",
        "description": "Running malware in a controlled environment to observe behavior",
        "tools": ["sandbox (Cuckoo, Any.run)", "Wireshark (network)", "Process Monitor (Windows)", "strace/ltrace (Linux)"],
        "finds": "Network connections, file changes, registry modifications, processes",
        "risk": "Must use isolated VM/sandbox - never run on production",
    },
    {
        "name": "Memory Forensics",
        "description": "Analyzing RAM dumps for malware hiding from disk",
        "tools": ["Volatility Framework", "Rekall", "WinPmem (memory acquisition)"],
        "finds": "Process injection, hidden processes, encryption keys in memory",
        "risk": "Requires memory dump - no execution risk",
    },
    {
        "name": "Code Reversing",
        "description": "Disassembling/decompiling to understand malware logic",
        "tools": ["IDA Pro", "Ghidra (NSA, free)", "Binary Ninja", "x64dbg"],
        "finds": "Full understanding of malware capabilities and C2 protocol",
        "risk": "No execution risk but time-intensive",
    },
]

for tech in techniques:
    print(f"\n🔬 {tech['name']}")
    print(f"   Description: {tech['description']}")
    print(f"   Tools:       {', '.join(tech['tools'][:3])}")
    print(f"   Finds:       {tech['finds']}")
    print(f"   Risk level:  {tech['risk']}")

print("\n" + "=" * 60)
print("ANALYSIS ENVIRONMENT REQUIREMENTS:")
print("  ✅ Use isolated VMs with no network access to production")
print("  ✅ Snapshot BEFORE running malware (restore after analysis)")
print("  ✅ Use dedicated analysis network (isolated from internet)")
print("  ✅ Disable clipboard sharing with host machine")
print("  ✅ Never analyze malware on production systems")
EOF

📸 Verified Output:

MALWARE ANALYSIS TECHNIQUES
============================================================

🔬 Static Analysis
   Description: Examining malware without executing it
   Tools:       strings (extract text), file (file type), hexdump (hex view)
   Finds:       File hashes, embedded strings, imports, code structure
   Risk level:  No execution risk - safe to run on any machine
...

💡 What this means: Static analysis first (safe, fast), then dynamic analysis in isolated sandbox. Never run unknown malware on your production machine — even "detonating" in a VM requires network isolation.

Step 5: Defense Layers Against Malware

python3 << 'EOF'
print("MALWARE DEFENSE LAYERS")
print("=" * 65)

defenses_by_type = {
    "Ransomware": {
        "primary": ["Offline/immutable backups (3-2-1 rule)", "EDR with ransomware detection", "Email filtering for malicious attachments"],
        "secondary": ["Network segmentation (limit lateral movement)", "Principle of least privilege", "Application whitelisting"],
        "detection": ["File system monitoring for mass renames", "Honeypot files that trigger alerts when touched", "Shadow copy monitoring"],
        "response": "Isolate infected systems immediately. DO NOT reboot. Contact IR team"
    },
    "Rootkit": {
        "primary": ["Secure Boot", "TPM attestation", "Integrity monitoring"],
        "secondary": ["Regular offline scanning", "Network monitoring for suspicious traffic"],
        "detection": ["Memory forensics", "Kernel integrity checks", "Behavioral anomalies"],
        "response": "Assume full compromise. Reimage from known-good media"
    },
    "RAT/Botnet": {
        "primary": ["Network egress filtering", "DNS filtering", "Application whitelisting"],
        "secondary": ["EDR for process injection detection", "Firewall rules blocking unusual outbound"],
        "detection": ["Beaconing traffic patterns in SIEM", "DNS requests to unusual domains", "Process spawning anomalies"],
        "response": "Block C2 IPs/domains. Isolate endpoint. Full forensic analysis"
    },
    "All Malware Types": {
        "primary": ["Patch management (fix known vulns)", "Email security gateway", "MFA (blocks credential-based delivery)"],
        "secondary": ["Security awareness training", "Application whitelisting", "Least privilege"],
        "detection": ["EDR/AV with behavioral detection", "SIEM for correlation", "Threat hunting"],
        "response": "Incident response plan ready. Practice tabletop exercises"
    },
}

for malware_type, defenses in defenses_by_type.items():
    print(f"\n[Against {malware_type}]")
    print(f"  Primary defenses:")
    for d in defenses["primary"]:
        print(f"    ✅ {d}")
    print(f"  Detection:")
    for d in defenses["detection"]:
        print(f"    🔍 {d}")

print("\n" + "=" * 65)
print("THE 3-2-1 BACKUP RULE:")
print("  3 copies of data")
print("  2 different storage media types")
print("  1 offsite copy (ideally air-gapped/offline)")
print()
print("  Modern variant: 3-2-1-1-0")
print("  + 1 air-gapped/offline copy")
print("  + 0 errors on backup verification")
EOF

📸 Verified Output:

MALWARE DEFENSE LAYERS
=================================================================

[Against Ransomware]
  Primary defenses:
    ✅ Offline/immutable backups (3-2-1 rule)
    ✅ EDR with ransomware detection
    ✅ Email filtering for malicious attachments
  Detection:
    🔍 File system monitoring for mass renames
    🔍 Honeypot files that trigger alerts when touched
...

💡 What this means: The 3-2-1 backup rule is the single most effective ransomware defense. Without offline backups, organizations face paying the ransom or losing data. Modern ransomware specifically deletes shadow copies and network backups — only truly offline or air-gapped backups survive.

Step 6: Malware Persistence Mechanisms

python3 << 'EOF'
print("COMMON MALWARE PERSISTENCE MECHANISMS")
print("=" * 60)

linux_persistence = [
    "Cron jobs (~/.cron, /etc/cron.d/)",
    "Systemd service units (/etc/systemd/system/evil.service)",
    "~/.bashrc or ~/.profile modification",
    "SUID binary planted in /tmp or /usr/local",
    "Shared library injection (LD_PRELOAD)",
    "SSH authorized_keys backdoor",
    "Init.d scripts (/etc/init.d/)",
    "Kernel module (rootkit)",
]

windows_persistence = [
    "Registry Run keys (HKCU/HKLM\\...\\Run)",
    "Scheduled Tasks (Task Scheduler)",
    "Startup folder (%APPDATA%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup)",
    "DLL hijacking",
    "COM hijacking",
    "Windows Service creation",
    "Boot/Pre-OS (bootloader rootkit, UEFI rootkit)",
    "WMI event subscriptions",
]

print("\nLinux Persistence Mechanisms:")
for mech in linux_persistence:
    print(f"  • {mech}")

print("\nWindows Persistence Mechanisms:")
for mech in windows_persistence:
    print(f"  • {mech}")

print("\n" + "=" * 60)
print("HUNTING FOR PERSISTENCE (Linux):")
hunt_commands = [
    ("Cron jobs", "crontab -l; ls /etc/cron.d/ /etc/cron.daily/"),
    ("Systemd services", "systemctl list-units --type=service | grep -v known-good"),
    ("Bashrc modification", "cat ~/.bashrc | tail -20"),
    ("SSH keys", "cat ~/.ssh/authorized_keys"),
    ("SUID files", "find / -perm -4000 -type f 2>/dev/null"),
    ("Recent files", "find / -newer /tmp -type f 2>/dev/null | head -20"),
]
for purpose, cmd in hunt_commands:
    print(f"\n  [{purpose}]")
    print(f"  $ {cmd}")
EOF

📸 Verified Output:

COMMON MALWARE PERSISTENCE MECHANISMS
============================================================

Linux Persistence Mechanisms:
  • Cron jobs (~/.cron, /etc/cron.d/)
  • Systemd service units (/etc/systemd/system/evil.service)
  • ~/.bashrc or ~/.profile modification
  ...

HUNTING FOR PERSISTENCE (Linux):

  [Cron jobs]
  $ crontab -l; ls /etc/cron.d/ /etc/cron.daily/

💡 What this means: Malware maintains persistence to survive reboots. Incident responders check all these locations systematically. MITRE ATT&CK technique TA0003 (Persistence) catalogs over 50 sub-techniques.

Step 7: Real-World Ransomware Analysis

python3 << 'EOF'
# Analysis of WannaCry (2017) - Educational
print("CASE STUDY: WANNACRY RANSOMWARE (2017)")
print("=" * 60)

wannacry_analysis = {
    "Date": "May 12, 2017",
    "Attribution": "Lazarus Group (North Korea state-sponsored)",
    "Affected": "200,000+ systems in 150 countries",
    "Notable Victims": "UK NHS (canceled operations), FedEx, Deutsche Bahn, Renault",
    "Ransom Demanded": "$300-600 in Bitcoin per system",
    "Total Ransom Paid": "~$140,000 (surprisingly low - bad payment infrastructure)",
    "Vulnerability Used": "EternalBlue (NSA exploit for SMBv1 - MS17-010)",
    "Initial Access": "Internet-exposed SMB port 445 - NO USER INTERACTION NEEDED",
    "Spread": "Worm - automatically spread to other vulnerable machines on network",
    "Kill Switch": "Attackers included a hardcoded domain check - registering domain stopped spread",
    "Kill Switch Discoverer": "Marcus Hutchins (MalwareTech) - registered domain for $10.69",
    "Lessons": [
        "Patch immediately - MS17-010 patch was available 2 months before attack",
        "Block SMBv1 and internet-facing SMB",
        "Segment networks - internal spread was devastating",
        "Have offline backups - NHS had to cancel surgeries due to locked systems",
        "Kill switches are real - threat hunting found and activated this one",
    ]
}

for key, value in wannacry_analysis.items():
    if isinstance(value, list):
        print(f"\n{key}:")
        for v in value:
            print(f"  ✓ {v}")
    else:
        print(f"{key}: {value}")

print()
print("TECHNICAL FLOW:")
technical = [
    "1. Scan internet for port 445 (SMB) open",
    "2. Exploit EternalBlue (MS17-010) buffer overflow in SMBv1",
    "3. DoublePulsar kernel backdoor implanted",
    "4. Download and execute WannaCry dropper via DoublePulsar",
    "5. Generate unique RSA key pair per victim",
    "6. Encrypt files with AES, encrypt AES key with RSA public key",
    "7. Scan local network for more vulnerable machines (worm behavior)",
    "8. Display ransom note demanding Bitcoin payment",
    "9. Before doing any of the above - check kill switch domain",
]
for step in technical:
    print(f"  {step}")
EOF

📸 Verified Output:

CASE STUDY: WANNACRY RANSOMWARE (2017)
============================================================
Date: May 12, 2017
Attribution: Lazarus Group (North Korea state-sponsored)
Affected: 200,000+ systems in 150 countries
Notable Victims: UK NHS (canceled operations), FedEx, Deutsche Bahn, Renault
...
Lessons:
  ✓ Patch immediately - MS17-010 patch was available 2 months before attack
  ✓ Block SMBv1 and internet-facing SMB
  ✓ Have offline backups - NHS had to cancel surgeries due to locked systems

💡 What this means: WannaCry is one of history's most impactful cyberattacks. It succeeded almost entirely because organizations failed to apply a patch that had been available for 2 months. Regular patching remains the single most impactful security practice.

Step 8: Malware Defense Checklist

python3 << 'EOF'
print("MALWARE DEFENSE CHECKLIST")
print("=" * 55)

checklist = {
    "Preventive Controls": [
        ("✅", "Endpoint Detection & Response (EDR) deployed on all endpoints"),
        ("✅", "Email security gateway with attachment sandboxing"),
        ("✅", "Patch management: critical patches within 72 hours"),
        ("✅", "Application whitelisting or allowlisting"),
        ("✅", "Least privilege - standard users can't install software"),
        ("✅", "MFA on all remote access and privileged accounts"),
        ("✅", "Network segmentation - crown jewels in separate segment"),
        ("✅", "USB access control - disable or limit USB on endpoints"),
    ],
    "Backup & Recovery": [
        ("✅", "3-2-1-1-0 backup rule implemented"),
        ("✅", "Backups tested monthly (restore testing, not just backup)"),
        ("✅", "Offline/air-gapped backup exists"),
        ("✅", "Recovery Time Objective (RTO) defined and achievable"),
        ("✅", "Shadow copy disabled on backup servers (not accessible via network)"),
    ],
    "Detection Controls": [
        ("✅", "SIEM with correlation rules for malware behavior"),
        ("✅", "EDR behavioral detection (not just signature-based)"),
        ("✅", "Honeypot files in sensitive directories"),
        ("✅", "File integrity monitoring on critical systems"),
        ("✅", "DNS filtering / DNS sinkholing for known-bad domains"),
    ],
    "Response Readiness": [
        ("✅", "Incident response plan documented and tested"),
        ("✅", "IR retainer with external forensics firm"),
        ("✅", "Contact lists for key stakeholders"),
        ("✅", "Isolation procedures practiced"),
        ("✅", "Law enforcement contact established (FBI Cyber Division)"),
    ],
}

for category, items in checklist.items():
    print(f"\n[{category}]")
    for status, item in items:
        print(f"  {status} {item}")

print()
print("RANSOMWARE IMMEDIATE RESPONSE:")
print("  1. ISOLATE: Disconnect infected system from network immediately")
print("  2. DON'T REBOOT: Memory forensics may recover encryption keys")
print("  3. PRESERVE: Take disk image before any remediation")
print("  4. NOTIFY: Legal, executive leadership, potentially FBI")
print("  5. ASSESS: How many systems affected? What data encrypted?")
print("  6. RECOVER: From backups - don't pay ransom (no guarantee + encourages)")
EOF

📸 Verified Output:

MALWARE DEFENSE CHECKLIST
=======================================================

[Preventive Controls]
  ✅ Endpoint Detection & Response (EDR) deployed on all endpoints
  ✅ Email security gateway with attachment sandboxing
  ✅ Patch management: critical patches within 72 hours
  ...

RANSOMWARE IMMEDIATE RESPONSE:
  1. ISOLATE: Disconnect infected system from network immediately
  ...

💡 What this means: The checklist is most valuable before an incident. Run through it quarterly. The items most commonly missing in post-incident reviews: backup testing, network segmentation, and an actual tested IR plan.

✅ Verification

# Verify the simulation ran successfully
python3 -c "
import base64
test_data = b'Test file contents for malware simulation'
encoded = base64.b64encode(test_data)
decoded = base64.b64decode(encoded)
assert decoded == test_data
print('Ransomware simulation mechanics verified')
print('Encode:', encoded[:30], '...')
print('Decode matches original:', decoded == test_data)
"

🚨 Common Mistakes

Relying only on antivirus: Signature-based AV misses 30-40% of new malware. Use behavioral EDR
Backups on same network: Ransomware specifically deletes network-accessible backups. Use offline/air-gapped copies
Not testing backups: Discovering backup corruption during a ransomware incident is catastrophic
Paying the ransom: No guarantee of decryption key, marks you as willing to pay, no law enforcement coordination
Not practicing incident response: First exposure to IR procedures should not be during an active incident

📝 Summary

Malware types (virus, worm, trojan, ransomware, rootkit) have distinct behaviors requiring different detection and response approaches
Ransomware encrypts files and demands payment; offline backups following 3-2-1 rule are the only reliable protection
IOCs (file hashes, IPs, domains, registry keys) are forensic evidence of compromise; share them via threat intelligence platforms
Defense layers (EDR, email security, patching, MFA, backups, network segmentation) work together — no single control is sufficient
Never analyze malware on production systems; use isolated VMs with snapshot capability and network isolation

🔗 Further Reading

PreviousLab 12: Social Engineering NextLab 14: Firewalls and IDS

Last updated 28 days ago

Good afternoon

hashtag🎯 Objective

hashtag📚 Background

hashtag⏱️ Estimated Time

hashtag📋 Prerequisites

hashtag🛠️ Tools Used

hashtag🔬 Lab Instructions

hashtagStep 1: Malware Classification

hashtagStep 2: Ransomware Behavior Simulation (Safe Demo)

hashtagStep 3: Indicators of Compromise (IOCs)

hashtagStep 4: Malware Analysis Techniques Overview

hashtagStep 5: Defense Layers Against Malware

hashtagStep 6: Malware Persistence Mechanisms

hashtagStep 7: Real-World Ransomware Analysis

hashtagStep 8: Malware Defense Checklist

hashtag✅ Verification

hashtag🚨 Common Mistakes

hashtag📝 Summary

hashtag🔗 Further Reading

🎯 Objective

📚 Background

⏱️ Estimated Time

📋 Prerequisites

🛠️ Tools Used

🔬 Lab Instructions

Step 1: Malware Classification

Step 2: Ransomware Behavior Simulation (Safe Demo)

Step 3: Indicators of Compromise (IOCs)

Step 4: Malware Analysis Techniques Overview

Step 5: Defense Layers Against Malware

Step 6: Malware Persistence Mechanisms

Step 7: Real-World Ransomware Analysis

Step 8: Malware Defense Checklist

✅ Verification

🚨 Common Mistakes

📝 Summary

🔗 Further Reading