Windows LotL Ransomware

Discover the current users home directory. Generate a random password string. Use 7zip zip tool to recursively zip the discovered folder into a password-protected archive. Drop and open a ransom note. Learn more on our release blog post >

This chain includes the following resources:(hover over elements to read details)

TTPs
  • Get user's home directory
  • Create a random password string
  • Encrypt directories with zip
  • Leave encrypted data recovery note
Supported platforms
  • windows
Supported executors
  • psh
Payloads
  • Write-ZipUsing7Zip.ps1
  • ransom_note.txt
In The News
A ransomware gang made $260,000 in 5 days using the 7zip utility
Threat Intel
Bart Ransomware Creates Password-Protected ZIP Files in Place of Common Encryption

Use Prelude chains to test your defense with simulated adversaries.
New chains drop weekly on #TTPtuesday

The Prelude Operator App

Run attack chains in the Prelude Operator app, available on all systems. Defend your organization by mimicking real adversarial attacks, and more.

Download

Operator in Action

Upcoming

Next Chain Drop
6:11:58:00
2022-01-18

More Chains

← Previous

S(C)wipe

2021-12-28
tactics
impact
Tags
ransomware
destructive
Platforms
darwin
The purpose of this chain is to deliver a ransomware attack without using a traditional encryption method, therefore becoming harder to detect and presenting an alternative method to a current potential “blind spot” in defenses.

Next →

Linux LotL Ransomware

2021-12-14
tactics
discovery
collection
impact
Tags
ransomware
wizard spider
Platforms
linux
Discover the current users home directory. Generate a random password string. Use the built-in zip tool to recursively zip the discovered folder into a password-protected archive. Drop and open a ransom note.

Latest Drop

Conti Recon And Initial Access

2022-01-11
tactics
execution
initial-access
Tags
Platforms
windows
Stage a phishing email in user's Documents directory then open it. Next, stage and launch a malicious PDF in user's Downloads directory. The malicious PDF creates a C:\Conti directory to stage and launch a Jambi agent.