Ransomware Analysis Lab Setup

TL;DR

This guide shows you how to build a safe environment (a lab) for studying ransomware without risking your main computer. We’ll use VirtualBox, create virtual machines, and set up basic networking so the ransomware can’t spread.

1. Choose Your Tools

We’ll be using free tools:

• VirtualBox: Software to run virtual computers inside your computer. Download VirtualBox
• Kali Linux: A specialist operating system for security testing (we’ll use it for analysis). Download Kali Linux
• A Windows VM: We need a ‘victim’ computer to infect with ransomware. You can download a free trial or use an older, unused license. Microsoft provides evaluation versions.

2. Install VirtualBox

1. Download and install VirtualBox following the on-screen instructions. Accept the default settings unless you have a specific reason to change them.

3. Create the Kali Linux VM

1. Open VirtualBox. Click New.
2. Give your VM a name (e.g., “Kali Analysis”) and select Linux as the type, then choose the correct version of Debian for Kali Linux.
3. Allocate at least 4GB of RAM (8GB is better).
4. Create a virtual hard disk. Choose VDI as the file type and Dynamically allocated to save space. Allocate at least 20GB of storage.
5. After creating the VM, select it in VirtualBox and click Settings.
6. Go to Storage. Under Controller: IDE, click the empty disc icon. Choose your downloaded Kali Linux ISO file.
7. Start the VM. Follow the on-screen instructions to install Kali Linux.

4. Create the Windows Victim VM

1. Repeat the steps from step 3, but this time name your VM something like “Windows Victim”.
2. Select Microsoft Windows as the type and choose the correct version of Windows you’re installing.
3. Allocate at least 2GB of RAM (4GB is better).
4. Create a virtual hard disk, using VDI and Dynamically allocated with at least 20GB storage.
5. Mount your Windows ISO file in the Storage settings as you did for Kali Linux.
6. Start the VM and install Windows.

5. Network Configuration (Crucial!)

We need to isolate our lab network so ransomware can’t spread to your real computer.

1. In VirtualBox, click File -> Host Network Manager.
2. Create a new virtual network adapter (e.g., “LabNetwork”).
3. Leave the default settings for DHCP server and subnet mask. Note down the IPv4 Address range – you’ll need this later.
4. Select each VM in VirtualBox, go to Settings -> Network.
5. Change the adapter type from NAT to Internal Network.
6. In the ‘Name’ field, select the virtual network you created (e.g., “LabNetwork”).

This means both VMs will be on a private network only accessible by each other and your host machine.

6. Install Analysis Tools in Kali Linux

1. Open a terminal in Kali Linux.
2. Update the package list:

   sudo apt update

3. Upgrade installed packages:

   sudo apt upgrade -y

4. Install useful tools (example):

   sudo apt install radare2 binwalk yara tcpdump wireshark -y

7. File Sharing Between VMs

To transfer files between Kali and the Windows VM:

1. Shared Folders: In VirtualBox, select a VM -> Settings -> Shared Folders. Add a folder on your host machine that both VMs can access.
2. Network Share (SMB): Install Samba on Kali Linux and set up a shared folder accessible from the Windows VM. This is more complex but offers better control.

8. Testing Your Lab

1. From the Windows VM, try to ping the Kali Linux VM using its internal IP address (you found this in step 5).

   ping <Kali_IP_Address>

2. From the Kali Linux VM, try to ping the Windows VM.
3. If both pings work, your network is configured correctly!

9. Next Steps

• Download ransomware samples (from safe sources like VirusTotal or Hybrid Analysis). Never download from untrusted websites!
• Start analyzing the malware using the tools you installed in Kali Linux.
• Take snapshots of your VMs before running any potentially harmful software, so you can easily revert to a clean state.