Stackhackr Attack - Fileless Ransomware

How stackhackr works

Stackhackr allows IT and security pros to test their endpoint security by creating a mock piece of malware that simulates real malware behavior.

Stackhackr Attack - Fileless Ransomware
Stackhackr Attack - Fileless Ransomware
Attack type

Fileless ransomware attack

Simulated behavior

Deleting shadow volume copies

This attack simulates behavior exhibited by a wide variety of prominent ransomware variants, including Locky, Dharma, and Spora. As part of the infection process, ransomware will often delete shadow volume copies, backup snapshots of files that can be saved even when those files are in use. By deleting shadow volume copies, ransomware authors can prevent victims from using them to recover encrypted files.

To simulate suspicious shadow volume deletion, the mock ransomware you make with stackhackr creates a script hidden in your temp directory. That script then launches an executable to simulate the shadow volume deletion.

Your security should be able to look at that chain, recognize that it’s a very sketchy string of behaviors, and block it.

Note: To keep this test safe, no shadow volume copies are actually deleted and no files are encrypted.

Stackhackr Attack - Fileless Ransomware
Attack type

Credential theft

Simulated behavior

Grabbing passwords from LSASS process memory

On Windows machines, the Local Security Authority Subsystem Service (LSASS.exe) stores credentials in memory so users in active Windows sessions don’t have to keep re-entering them to access various network resources. That unfortunately makes it a popular target for attackers using credential stealing tools like Mimikatz.

To keep this test safe, the mock malware created with stackhackr simply simulates accessing the credentials stored in LSASS without actually looking at them.

Stackhackr Attack - Fileless Ransomware

Why testing protection against these behaviors is important

There are multiple tests available to determine whether your antivirus is up-to-date with the latest virus signatures, but few that allow you to test your endpoint protection against simulated malicious behavior.

That’s important to do because the majority of today’s malware can be modified to evade file-scanning tools. In fact, many modern attacks can simply avoid file-based infection by:

  • Using exploits
  • Leveraging legitimate scripting tools like PowerShell
  • Streaming malicious code directly into other processes or the registry

To prevent these fileless attacks from succeeding, security tools need to be able to identify and block malicious behavior during runtime.

If your current security can’t block the behaviors simulated in these tests then you are vulnerable to compromise from real attacks.

Stop the attacks your other security can’t.

See how Barkly’s Runtime Malware Defense blocks ransomware, exploits, fileless malware, and other advanced attacks before any damage is done.

See how it works