This is an academic simulator built for controlled malware behavior analysis. It cannot spread, persist, or cause harm outside its designated sandbox directory. All development was conducted under instructor supervision within an isolated VM.
This repository contains functional ransomware simulation code. While it is designed to be completely safe when run in a proper isolated environment, improper execution could result in data loss or system compromise.
Do not clone this repository to:
- Your host machine
- A production system
- Any machine containing important data
- Any networked system
Required setup:
- Isolated virtual machine (no network connectivity)
- VM snapshot/backup before execution
- Test data only in the sandbox directory
- Read SAFETY_NOTICE.md completely before proceeding
For detailed safety requirements, risk assessment, and usage guidelines, consult SAFETY_NOTICE.md immediately.
1- Abdelrahman Elshabrawi 2- Mohyaldeen Osman
Kuwait University · College of Life Sciences · Department of Information Science Course: ISC 353 · Project Phase: Milestone 2 — Core Build
This simulator was designed from the ground up to be safe, controlled, and fully reversible. The following constraints are hard-coded and verified:
| Safety Guarantee | How It Is Enforced |
|---|---|
| Scope-limited | Targets only ./sandbox/test_files/ — enforced by the TARGET_DIR constant at the top of the script |
| No network activity | Zero network imports or socket calls anywhere in the codebase |
| No persistence | No registry edits, no cron jobs, no startup entries, no system modifications |
| No self-propagation | No directory traversal beyond TARGET_DIR; no process spawning |
| Fully reversible | decrypt_files() restores originals byte-for-byte, verified by SHA-256 hash matching |
| Isolated execution | Runs only inside a Kali Linux VM with no host network access |
| Instructor pre-approved | Code was reviewed by the course instructor before the first execution (Milestone 1 evidence on file) |
The simulator is a modular Python application that replicates the core cryptographic behavior of ransomware in a completely safe, sandboxed environment. It serves two purposes:
- Simulate the encryption/decryption lifecycle of a ransomware attack using AES-256-GCM.
- Generate Ground Truth telemetry — behavioral fingerprints (entropy, hashes, timing) that will feed YARA detection rules in Milestone 3.
The codebase is organized around three pillars:
ransomware_pro.py
│
├── Cryptographic Core → get_key(), encrypt_files(), decrypt_files()
├── Behavioral Metric Engine → calculate_entropy(), get_sha256()
└── Forensic Logger → log_behavior() → sandbox/logs/behavior_log.json
project-root/
│
├── ransomware_pro.py # Main simulator script
├── requirements.txt # Python dependencies
├── README.md # This file
│
└── sandbox/ # Isolated working environment (VM only)
├── test_files/ # Target directory — only files here are touched
│ ├── sample.txt
│ ├── sample.txt.locked # Created after encryption
│ └── ...
├── secret.key # AES-256 key (auto-generated, stays in sandbox)
└── logs/
└── behavior_log.json # Structured telemetry output
Prerequisites: Python 3.8+, running inside an isolated VM. Do not run on a host machine.
pip install cryptographyOr if a requirements.txt is present:
pip install -r requirements.txtEnsure the target directory exists and contains test files:
mkdir -p sandbox/test_files sandbox/logs
cp your_test_files/* sandbox/test_files/python ransomware_pro.pyYou will be prompted:
Enter 'E' to Encrypt or 'D' to Decrypt:
- Press
E→ encrypts all files insandbox/test_files/, appending.lockedto each - Press
D→ decrypts all.lockedfiles and restores originals
cat sandbox/logs/behavior_log.jsonEach line is a JSON entry capturing the behavioral fingerprint of one file operation.
cryptography>=41.0.0