Skip to content
/ Ransim Public

Ransomware Simulator for testing Blue Team Detections

License

MIT license
35 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

d4rk-d4nph3/Ransim

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
Ransim
Ransim
 
 
Tools
Tools
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Ransim.sln
Ransim.sln
 
 

Repository files navigation

Ransim

Info Info

Ransomware Simulator for testing Blue Team Detections and to tune their sensors.

Description

Inspired from Scythe's article on emulating ransomware.

Disclaimer

This project is meant for educational and research purposes only. I am not responsible for this project being used for malicious purpose.

Build

Compiled in Visual Studio 2019. Download the solution folder and build in Visual Studio with .Net Framework installed.

Preparation

  • Place several dummy files such as documents and pictures in %USERPROFILE%\Reports directory.
  • Ransim only encrypts files in that directory and terminates if it does not find that directory.
  • If the Rclone function is enabled, the files in that directory will be zipped up and exfiltrated to Mega.

Execute

  • Run Ransim as administrator.
  • Disable AV.

Note

You can choose what tasks to skip by commenting the corresponding functions calls in the source code. For example, you can comment out the DisableFirewall() call if you want Ransim to skip disabling Firewall.

Attack Flow of v0.2

  1. Ransim terminates if it was not ran as administrator.
  2. Ransim terminates if it does not find Reports directory in %USERPROFILE% (safety check).
  3. Runs a location check.
  4. Runs enabled functions such as credential dumpers, cobalt strike simulator, etc.
  5. Exfils data to Mega.
  6. Disables services.
  7. Starts encrypting all the files only in the Reports directory.
  8. Upon finishing encrypting all the files in that directory, it downloads the ransom note from pastebin.
  9. Opens that ransom note in notepad.
  10. Deletes itself.

TODO

Add support for following tools:

  • Mimikatz
  • LaZagne
  • ADFind
  • PsExec
  • SharpHound
  • Cobalt Strike
  • PowerView
  • Invoke-Kerberoast
  • Seatbelt
  • Net-GPPPassword
  • Rclone + Mega

Appendix

RClone configuration guide

If you enable the exfil function, Ransim can exfiltrate the data of the Reports directory. Ransim accomplishes this by zipping all the files of the Reports directory to an archive that it subsequently transfers to Mega using RClone.

Just create a free Mega account and download the rclone standalone binary. Then using the free account, create a new remote configuration for Mega. Push that config to your fork. Then, edit the source code so as to use this new config file by Ransim.

Thanks to Carlos for the RSA encryption function.

About

Ransomware Simulator for testing Blue Team Detections

Topics

ransomware-detection ransomware-simulator

Resources

Readme

License

MIT license
Activity

Stars

35 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages