Catch Me If You Can

Disclaimer:
This repository is intended for security research and defensive testing only in controlled lab environments.
Do not deploy on production systems or systems you do not own. Misuse may violate laws.

Overview

Catch Me If You Can is a fast ransomware behavior simulator written in C++, inspired by techniques used in certain modern ransomware families (e.g., encrypting only the first portion of files to speed up impact and reduce CPU footprint).
Its goal is to help blue teams, incident responders, and researchers study behavioral patterns and develop effective defenses.

• File modification detection
• EDR/AV alerting thresholds
• Backup & recovery workflows

Structure

• main.cpp – Primary program entry point
• libs/aes/ – AES encryption library for simulation
• bin/ – Likely output artifacts from builds
• Code::Blocks project files:
  • EncTest.cbp
  • EncTest.depend
  • EncTest.layout
• .vscode/ – Editor settings
• LICENSE – Apache-2.0 License
• README.md – Project description

Features

• Partial File Processing – Emulates the “fast encryption” tactic by only altering the first part of files.
• High Throughput Simulation – Quickly touches many files to test detection logic.
• Configurable Paths – Run tests on synthetic or dummy datasets.
• Open Source AES Library – Uses a bundled AES implementation for simulation only.

Defensive Insights

This simulator mimics ransomware trade-offs between speed and stealth. Below are the non-operational takeaways defenders can apply:

1. Partial-content encryption patterns

Behavior:

• Touches many files, writing small high-entropy chunks near the start.

Mitigations:

• File-system heuristics to flag bursty open–write–close loops across diverse directories and file types.
• Entropy-delta monitoring on leading file segments (e.g., sudden entropy jumps in the first 64–256 KB).

---

2. Throughput and breadth over depth

Behavior:

• Prioritizes number of files over full-file encryption to finish quickly.

Mitigations:

• Deploy honeyfiles/canary docs in key locations; alert on first modification.
• Rate-limit guards that trigger if a process modifies N distinct files in M seconds.

---

3. EDR evasion via “low CPU, short dwell per file”

Behavior:

• Very short per-file dwell time to evade simplistic CPU-usage triggers.

Mitigations:

• Process allowlists and application control (only sanctioned binaries modify user data roots).
• Monitor command-line usage and parent/child process lineage for suspicious write activity.

---

4. Backup & blast-radius controls

Mitigations:

• Immutable backups and object-lock.
• Frequent snapshots with segmented privileges to limit exposure.
• SMB throttling and per-share file modification thresholds.

---

5. Recovery readiness

Mitigations:

• Regularly test recovery times (RTO/RPO).
• Ensure snapshot catalogs are available out-of-band in case main consoles are unavailable.

---

Safe Usage Guidelines

• Operate only in isolated, controlled lab networks.
• Use dummy data — never run against real or sensitive files.
• Validate and tune defensive tools against simulated behaviors.

License

Licensed under the Apache-2.0 License.

Author

Maintained by Bidhata.