How to Start Ransomware Attack Projects Using NS3

To start a ransomware attack using NS3 that encompasses to simulate the ransomware’s behavior within a networked environment. NS3 is mainly a network simulator and it doesn’t simulate the system-level malware behavior directly, but we can be replicated the network features of a ransomware attack like:

  1. Infection Propagation: Broadcast of ransomware via the network.
  2. Data Exfiltration: Ransomware to transmit encrypted information to a remote server.
  3. Command and Control (C&C) Communication: Interaction among the infected nodes and the attacker.
  4. Payload Delivery: To simulate how ransomware gain access to the system through vulnerabilities or phishing emails.

The following is a basic guide on how to make a project to replicate a ransomware attack in NS3:

Steps to Start Ransomware Attack Projects in NS3

  1. Set Up NS3
  • Initially, we install and build NS3 using below command:

./waf configure

./waf build

  • Confirm the installation:

./waf –run hello-simulator

  1. Understand Ransomware Behavior
  • Stages of Ransomware:
    • Delivery: To distribute phishing email, malicious link, or exploit.
    • Infection: Malware performs on the machine of victim.
    • Encryption: Ransomware encodes files.
    • Communication: It transmits encryption key or records to the server of attacker.
  • Network Simulation Goals:
    • Broadcast ransomware via the network.
    • To mimic interaction with C&C server of the attacker.
    • We need to exfiltrate encrypted information.
  1. Define the Network Topology
  • Make a network including:
    • Victim Nodes: It denotes the end-user systems.
    • Attacker Node: This node to command and control the server.
    • Phishing Server: These server distributes the ransomware payload.
  • Example Topology:

NodeContainer victimNodes, phishingServer, attackerNode;

victimNodes.Create(3);    // Three victims

phishingServer.Create(1); // Phishing server

attackerNode.Create(1);   // Attacker’s C&C server

PointToPointHelper p2p;

p2p.SetDeviceAttribute(“DataRate”, StringValue(“100Mbps”));

p2p.SetChannelAttribute(“Delay”, StringValue(“2ms”));

// Connect nodes

NetDeviceContainer devices1 = p2p.Install(NodeContainer(victimNodes.Get(0), phishingServer.Get(0)));

NetDeviceContainer devices2 = p2p.Install(NodeContainer(victimNodes.Get(1), phishingServer.Get(0)));

NetDeviceContainer devices3 = p2p.Install(NodeContainer(attackerNode.Get(0), phishingServer.Get(0)));

  1. Assign IP Addresses
  • We install the Internet stack and then allocate an IPs to the nodes.

InternetStackHelper stack;

stack.Install(victimNodes);

stack.Install(phishingServer);

stack.Install(attackerNode);

Ipv4AddressHelper address;

address.SetBase(“10.1.1.0”, “255.255.255.0”);

address.Assign(devices1);

address.SetBase(“10.1.2.0”, “255.255.255.0”);

address.Assign(devices2);

address.SetBase(“10.1.3.0”, “255.255.255.0”);

address.Assign(devices3);

  1. Simulate Legitimate Communication
  • We want to insert typical interaction among the target nodes and the phishing server.

uint16_t port = 80;

UdpEchoServerHelper echoServer(port);

ApplicationContainer serverApp = echoServer.Install(phishingServer.Get(0));

serverApp.Start(Seconds(1.0));

serverApp.Stop(Seconds(20.0));

UdpEchoClientHelper echoClient(Ipv4Address(“10.1.1.1”), port);

echoClient.SetAttribute(“MaxPackets”, UintegerValue(50));

echoClient.SetAttribute(“Interval”, TimeValue(Seconds(1.0)));

echoClient.SetAttribute(“PacketSize”, UintegerValue(512));

ApplicationContainer clientApps = echoClient.Install(victimNodes);

clientApps.Start(Seconds(2.0));

clientApps.Stop(Seconds(20.0));

  1. Simulate Ransomware Behavior

6.1 Payload Delivery (Phishing Email or Exploit)

  • Replicate the phishing emails or malicious links for payload delivery:

void DeliverPayload(Ptr<Node> phishingServer, Ptr<Node> victim) {

NS_LOG_UNCOND(“Phishing server delivering payload to victim at time: ” << Simulator::Now());

// Implement payload delivery logic, such as sending a malicious packet

Ptr<Socket> socket = Socket::CreateSocket(phishingServer, TypeId::LookupByName(“ns3::UdpSocketFactory”));

InetSocketAddress remote = InetSocketAddress(victim->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 4444);

socket->Connect(remote);

Ptr<Packet> payload = Create<Packet>((uint8_t*)”RANSOMWARE_PAYLOAD”, 20);

socket->Send(payload);

}

Simulator::Schedule(Seconds(3.0), &DeliverPayload, phishingServer.Get(0), victimNodes.Get(0));

6.2 C&C Communication

  • Mimic interaction with C&C server of attacker:

void CommandAndControl(Ptr<Node> victim, Ptr<Node> attacker) {

NS_LOG_UNCOND(“Victim communicating with attacker’s C&C server at time: ” << Simulator::Now());

Ptr<Socket> socket = Socket::CreateSocket(victim, TypeId::LookupByName(“ns3::TcpSocketFactory”));

InetSocketAddress remote = InetSocketAddress(attacker->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 8080);

socket->Connect(remote);

Ptr<Packet> encryptionKey = Create<Packet>((uint8_t*)”ENCRYPTION_KEY”, 14);

socket->Send(encryptionKey);

}

Simulator::Schedule(Seconds(5.0), &CommandAndControl, victimNodes.Get(0), attackerNode.Get(0));

6.3 Data Exfiltration

  • We replicate the transfer of encrypted information to the attacker:

void ExfiltrateData(Ptr<Node> victim, Ptr<Node> attacker) {

NS_LOG_UNCOND(“Victim exfiltrating encrypted data to attacker at time: ” << Simulator::Now());

Ptr<Socket> socket = Socket::CreateSocket(victim, TypeId::LookupByName(“ns3::TcpSocketFactory”));

InetSocketAddress remote = InetSocketAddress(attacker->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 9090);

Ptr<Packet> encryptedData = Create<Packet>((uint8_t*)”ENCRYPTED_DATA”, 14);

socket->Send(encryptedData);

}

Simulator::Schedule(Seconds(7.0), &ExfiltrateData, victimNodes.Get(0), attackerNode.Get(0));

  1. Enable Packet Tracing
  • For analysis, we seize packets within Wireshark to utilize PCAP:

PointToPointHelper p2p;

p2p.EnablePcapAll(“ransomware-attack”);

  1. Run the Simulation
  • Now, we should compile and run the simulation:

./waf –run ransomware-attack

  1. Analyze the Attack
  • Go to the .pcap files using Wireshark:

wireshark ransomware-attack-0-0.pcap

  • Verify phishing payloads and C&C interaction:
    • Payload Delivery: We seek the packets that having RANSOMWARE_PAYLOAD.
    • Data Exfiltration: Confirm encrypted information, which is transmitted to the attacker.
  1. Implement Detection and Mitigation
  • Detection:
    • Observe the unusual traffic patterns like:
      • High amounts of outbound encrypted information.
      • Interaction with unknown or suspicious IPs.
    • Example: For anomaly detection we can utilize FlowMonitor in NS3.
  • Mitigation:
    • Utilize firewalls to obstruct the traffic to C&C servers.
    • Identify and stop the malicious payloads with the help of intrusion detection systems (IDS).
  1. Evaluate Metrics
  • Estimate the effect of the attack:
    • Payload Delivery Success Rate: We need to compute the rate of infected nodes.
    • Data Exfiltration Volume: Measure the amount of encrypted information, which is transmitted to the attacker.
    • Communication Latency: Estimate the duration for C&C interaction.
  1. Extend the Simulation
  • We can replicate:
    • Variations of ransomware attacks like worm-like propagation.
    • Defenses such as IDS, firewalls, or backup-based recovery.
  • Experiment the scenarios including several attackers or more complex topologies.

As explained above, we successfully performed for replicating the ransomware attacks’ network features using NS3 environment. If you require extra details regarding this topic, we will send it you later.

It is quite challenging to obtain Ransomware Attack Projects utilizing the ns3 tool; therefore, we are actively engaged in this area. If you seek innovative project outcomes, allow our team to manage your requirements. Please send us a message to receive expert guidance. We specialize in Infection Propagation, Data Exfiltration, and Payload Delivery tailored to your project needs.