β οΈ FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY This project simulates ransomware behavior in a controlled environment. Never run this on systems or files you do not own. See DISCLAIMER.md for full legal notice.
RST (Ransomware Simulation Tool) is an educational cybersecurity project that demonstrates how ransomware works at a technical level β including file discovery, AES-256-CBC encryption, IV handling, and decryption with a password gate.
It is built as a WPF desktop application (C#) with a native C++ DLL that handles all cryptographic operations using the Windows BCrypt API.
This project was created to help cybersecurity students understand:
- How ransomware locates and encrypts target files
- How AES-256-CBC encryption works at the system level
- How attackers use file renaming (
.lockedextension) as a signal - How defenders can detect and respond to encryption-based attacks
βββββββββββββββββββββββββββββββββββββββ
β C# WPF Frontend β
β ββββββββββββββββ βββββββββββββββ β
β β MainWindow β β AwarenessPageβ β
β ββββββββ¬ββββββββ βββββββββββββββ β
β β β
β ββββββββΌββββββββ β
β β ToolPage β β Encryption UI β
β β + AppConfig β β Configuration β
β ββββββββ¬ββββββββ β
βββββββββββΌββββββββββββββββββββββββββββ
β P/Invoke (DllImport)
βΌ
βββββββββββββββββββββββββββββββββββββββ
β C++ Native DLL (x64) β
β ββββββββββββββββββββββββββββββββ β
β β dllmain.cpp β β
β β βββ EncryptDirectory() β β
β β βββ DecryptDirectory() β β
β ββββββββββββββββββββββββββββββββ€ β
β β EncryptFileAes.h (BCrypt) β β
β β DecryptFileAes.h (BCrypt) β β
β β Search.h (WinAPI FindFile) β β
β ββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββ
| File | Language | Role |
|---|---|---|
MainWindow.xaml/.cs |
C# | App shell, sidebar navigation, status bar |
Pages/ToolPage.xaml/.cs |
C# | Encryption/Decryption UI, DLL interop |
Pages/AwarenessPage.xaml |
C# | Ethical use guidelines page |
Modules/AppConfig.cs |
C# | Centralized configuration (paths, extensions, password) |
Ransomware-code.dll |
C++ | AES-256-CBC encrypt/decrypt engine (BCrypt API) |
1. BCryptOpenAlgorithmProvider β AES / CBC mode
2. BCryptGenRandom β generate random 256-bit key (per session)
3. Walk directory tree with WinAPI FindFirstFile / FindNextFile
4. For each matching file:
a. Read file content into memory
b. Apply PKCS#7 padding to align to 16-byte AES block size
c. BCryptGenRandom β generate random 128-bit IV (per file)
d. BCryptEncrypt β encrypt with AES-256-CBC
e. Write to file: [32-byte key][16-byte IV][ciphertext]
f. Rename file β filename.ext.locked
5. SecureZeroMemory β wipe key from memory
1. Password check performed in C# (AppConfig.DecryptPassword)
2. If correct β call DecryptDirectoryWithPassword in DLL
3. Walk directory for all *.locked files
4. For each file:
a. Read first 32 bytes β key
b. Read next 16 bytes β IV
c. Read remainder β ciphertext
d. BCryptDecrypt β decrypt with AES-256-CBC
e. Strip PKCS#7 padding
f. Write plaintext back, truncate file
g. Rename filename.ext.locked β filename.ext
5. SecureZeroMemory β wipe key and IV from memory
π‘ Educational Note: In this simulation, the AES key is stored inside the encrypted file itself. Real ransomware would send the key to a remote C2 server, making decryption impossible without paying. This design is intentionally safe for simulation.
RST-Ransomware-Simulation-Tool/
βββ README.md
βββ DISCLAIMER.md
βββ .gitignore
βββ Ransomware_GUI/
βββ Ransomware_GUI.sln
βββ Ransomware_GUI.csproj
βββ App.xaml
βββ App.xaml.cs
βββ MainWindow.xaml
βββ MainWindow.xaml.cs
βββ alert.png
βββ Pages/
β βββ AwarenessPage.xaml
β βββ AwarenessPage.xaml.cs
β βββ ToolPage.xaml
β βββ ToolPage.xaml.cs
βββ AppConfig.cs
βββ /bin/Debug/net8.0-windows/Module β DLL goes here (see Setup)
βββ Ransomware-code.dll
Before running, edit Modules/AppConfig.cs to match your environment:
public static class AppConfig
{
// π Folder to simulate encryption on (USE A TEST FOLDER!)
public static string TargetPath { get; set; } =
@"C:\Your\Test\Folder";
// π« Subfolder that will NEVER be encrypted (safe zone)
public static string ExceptionPath { get; set; } =
@"C:\Your\Test\Folder\safe";
// π File extensions to target
public static string[] Extensions { get; set; } =
{
"*.pdf", "*.txt", "*.docx", "*.xlsx",
"*.jpg", "*.jpeg", "*.png", "*.json",
"*.xml", "*.log", "*.py", "*.bat"
};
// π Password required to decrypt (simulation only)
public static string DecryptPassword { get; set; } =
"simulation123";
}
β οΈ Always pointTargetPathto a dedicated test folder with dummy files β never to real documents.
- Windows 10/11 (x64)
- Visual Studio 2022 with:
.NET Desktop DevelopmentworkloadDesktop development with C++workload
- .NET 8 (or as targeted in the project)
git clone https://github.com/YourUsername/RST-Ransomware-Simulation-Tool.git
cd RST-Ransomware-Simulation-ToolCopy the prebuilt Ransomware-code.dll into:
Ransomware_GUI/Module/Ransomware-code.dll
The DLL must be compiled as x64. The WPF project must also target x64.
Open Modules/AppConfig.cs and set TargetPath and ExceptionPath to your test folder.
Visual Studio β Build β Build Solution (Ctrl+Shift+B)
Make sure Platform Target = x64 in:
Project Properties β Build β Platform Target β x64
F5 or Debug β Start Debugging
On launch, the app will immediately encrypt the configured TargetPath.
Use the Decrypt button and enter simulation123 to restore files.
| Element | Description |
|---|---|
| Target Path | Shows the configured directory being encrypted |
| Extensions | Lists all file types targeted |
| Output Log | Live log with timestamps of every action |
| Decrypt Button | Opens password prompt to restore files |
Contains the ethical use guidelines and legal warning β built directly into the app to remind users of responsible use every time they open it.
| Topic | Detail |
|---|---|
| AES-256-CBC | How symmetric block cipher encryption works |
| IV Randomness | Why a unique IV per file prevents pattern analysis |
| PKCS#7 Padding | How data is aligned to block boundaries |
| WinAPI File I/O | CreateFileW, ReadFile, WriteFile, SetEndOfFile |
| BCrypt API | Windows-native crypto via bcrypt.lib |
| Directory Traversal | Recursive file discovery with FindFirstFile |
| SecureZeroMemory | Wiping sensitive data from memory after use |
| P/Invoke Interop | Calling native C++ DLL exports from C# |
| Exception Paths | Protecting specific folders from encryption |
| Defender Perspective | Understanding what security tools detect |
ββββββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β AES Key β IV β Ciphertext β
β 32 bytes β 16 bytes β N bytes (padded) β
ββββββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββββββββββββββββββ
Files are matched using WinAPI wildcard patterns (*.pdf, *.txt, etc.) passed from C# as a wchar_t** array via P/Invoke.
This tool is strictly for:
- β Personal cybersecurity education
- β Isolated lab/VM environments
- β Academic research and coursework
- β Understanding defensive security
Never use on:
- β Systems you do not own
- β Files belonging to others
- β Production environments
- β Any real-world attack scenario
Misuse of this tool may violate computer fraud laws in your country and result in criminal liability.
Khalid
- GitHub: @khalid609
- Gmail khalid609abu.kaf@gmail.com
This project is released for educational use only. No warranty is provided. Use entirely at your own risk.