Caution
Educational and authorised testing only. This tool is a ransomware simulator built for purple team exercises. It does not contain real ransomware, does not exfiltrate data, and does not communicate with any external server. You are responsible for obtaining written authorisation before running it in any environment. Misuse of this tool may violate computer misuse laws in your jurisdiction.
Generates realistic dummy corporate files, then encrypts them with ChaCha8, renames them to .dragonforce_encrypted, and drops a ransom note. Built to trigger EDR ransomware heuristics without touching real data.
- Quick Start
- Overview
- DragonForce TTP Mapping
- How It Works
- Usage
- Demo Output
- What It Does NOT Do
- Use Cases
- Detection Opportunities
- Security & Authorised Use
- License
git clone https://github.com/harr-sudo/RansomSim.git
cd RansomSim
csc.exe RansomSim.cs
.\RansomSim.exe setup C:\RansomTest
.\RansomSim.exe encrypt C:\RansomTestRansomSim is a single-file C# tool that replicates the observable behaviours of a ransomware attack against a controlled directory of dummy files. It exists so that purple teams can test whether their EDR, SIEM, and SOC processes detect and respond to ransomware-like activity without risking real data.
The tool operates in two phases. Setup populates a target directory with 500 realistic dummy corporate files (financial reports, HR records, legal documents, invoices) spread across six department subdirectories. Encrypt then processes those files with ChaCha8 stream cipher encryption, renames each file with a .dragonforce_encrypted extension, and drops a ransom note in every directory.
The encryption keys are generated randomly per file and immediately discarded. There is no key exfiltration, no recovery mechanism, and no external communication. The files are gone by design. This is a detection test, not a recovery test.
This simulator was built to replicate the file-encryption stage of the DragonForce ransomware group's attack chain. The behaviours are mapped directly from observed DragonForce TTPs.
| Behaviour | DragonForce TTP | MITRE ATT&CK | RansomSim Implementation |
|---|---|---|---|
| File encryption | ChaCha8 variant (Conti v3 fork) | T1486 - Data Encrypted for Impact | ChaCha8 stream cipher, per-file random key + nonce |
| Extension rename | .dragonforce_encrypted |
T1486 | Files renamed to <original>.dragonforce_encrypted |
| Ransom note drop | --IMPORTANT--README--.TXT per directory |
T1486 | Identical note dropped in every target subdirectory |
| Rapid file enumeration | Burst pattern across local drives | T1083 - File and Directory Discovery | Sequential enumeration of all files in target tree |
| Multi-threaded I/O | Parallel encryption threads for speed | T1486 | 4 worker threads partitioning the file list |
| File magic bytes | Targets common office formats | T1486 | Setup phase writes correct magic bytes (.docx/.xlsx = PK header, .pdf = %PDF-1.7) |
- DragonForce uses a Conti v3 fork with ChaCha8 encryption. The rapid file enumeration and mass write operations generate a distinct I/O burst pattern that EDR ransomware heuristics are designed to catch.
- The
.dragonforce_encryptedextension and--IMPORTANT--README--.TXTransom note filename are directly observed DragonForce indicators. - DragonForce targets local drives and accessible network shares. This simulator is scoped to a single controlled directory to avoid collateral impact.
Creates 500 dummy files across 6 department subdirectories (Finance/, HR/, Legal/, IT/, Operations/, Risk/). Each file contains realistic corporate content generated from templates (financial summaries, meeting notes, invoices, risk register entries, HR records). Files are written with correct magic bytes for their extension type. Every 10th file is padded to 50-200KB to vary the I/O profile. Files are created with a 720ms delay between each (total ~6 minutes) to avoid triggering write-burst alerts during setup.
Reads every file in the target tree, encrypts the contents with ChaCha8 using a random 32-byte key and 12-byte nonce per file, overwrites the original, renames to .dragonforce_encrypted, and drops a ransom note. The work is split across 4 threads. Keys are generated from System.Random seeded with Guid.NewGuid() and are never saved or transmitted.
- OneDrive check. If the target path contains "OneDrive", the tool exits immediately.
- No network activity. The tool makes zero network connections. No DNS, no HTTP, no C2.
- No persistence. Nothing is written to the registry, startup folders, or scheduled tasks.
- No privilege escalation. Runs entirely as the current user.
- Scoped target. Only processes files inside the directory you point it at.
csc.exe RansomSim.csOr with the .NET SDK:
dotnet-csc RansomSim.cs -out:RansomSim.exe.\RansomSim.exe setup C:\RansomTestThis creates C:\RansomTest\ with 500 files across 6 subdirectories. Takes approximately 6 minutes (720ms delay per file).
.\RansomSim.exe encrypt C:\RansomTestThis encrypts all 500 files, renames them, and drops ransom notes. Runs multi-threaded and completes in seconds.
Delete the target directory after testing:
Remove-Item -Recurse -Force C:\RansomTest[*] Mode : setup
[*] Target : C:\RansomTest
[*] Files : 500 across 6 subdirectories (~360 seconds)
[*] Started : 2026-03-15 09:30:00
[*] Created: C:\RansomTest\Finance
[*] Created: C:\RansomTest\HR
[*] Created: C:\RansomTest\Legal
[*] Created: C:\RansomTest\IT
[*] Created: C:\RansomTest\Operations
[*] Created: C:\RansomTest\Risk
[*] Filename preview:
[*] HR\Employee_Handbook_v3_001.pdf
[*] Legal\NDA_Template_v2_002.xlsx
[*] IT\Network_Diagram_v4_003.txt
[*] Operations\Risk_Register_2026_004.csv
[*] Risk\Risk_Assessment_Q1_005.docx
[*] Finance\Q1_Budget_Review_006.pdf
[+] 100/500 files created — 400 remaining
[+] 200/500 files created — 300 remaining
[+] 300/500 files created — 200 remaining
[+] 400/500 files created — 100 remaining
[+] 500/500 files created — 0 remaining
[+] Setup complete — 500 files ready in: C:\RansomTest
[+] Finished : 2026-03-15 09:36:00
[*] Mode : encrypt
[*] Target : C:\RansomTest
[*] Threads : 4
[*] Actions : ChaCha8 encrypt, rename to .dragonforce_encrypted, drop ransom note per directory
[*] Started : 2026-03-15 09:40:00
[*] Thread 1 starting — 125 files assigned
[*] Thread 2 starting — 125 files assigned
[*] Thread 3 starting — 125 files assigned
[*] Thread 4 starting — 125 files assigned
[+] 100/500 files encrypted
[+] 200/500 files encrypted
[+] 300/500 files encrypted
[+] 400/500 files encrypted
[+] 500/500 files encrypted
[+] Done — 500 files encrypted, ransom note dropped in 7 directories.
[+] Duration : 2.34 seconds
[+] Finished : 2026-03-15 09:40:02
C:\RansomTest\
├── --IMPORTANT--README--.TXT
├── Finance\
│ ├── --IMPORTANT--README--.TXT
│ ├── Q1_Budget_Review_006.pdf.dragonforce_encrypted
│ ├── Q2_Budget_Review_012.xlsx.dragonforce_encrypted
│ ├── ...
├── HR\
│ ├── --IMPORTANT--README--.TXT
│ ├── Employee_Handbook_v3_001.pdf.dragonforce_encrypted
│ ├── ...
├── Legal\
│ ├── --IMPORTANT--README--.TXT
│ ├── ...
├── IT\
│ ├── ...
├── Operations\
│ ├── ...
└── Risk\
├── --IMPORTANT--README--.TXT
└── ...
YOUR FILES HAVE BEEN ENCRYPTED BY DRAGONFORCE
All your documents, databases and backups have been encrypted.
To recover your files contact: support@dragonforce.onion
DO NOT attempt to decrypt files yourself — permanent data loss will result.
| Capability | RansomSim | Real Ransomware |
|---|---|---|
| Encrypt real user data | No. Only touches the directory you specify. | Yes. Targets local drives, network shares, backups. |
| Exfiltrate encryption keys | No. Keys are random, per-file, and discarded. | Yes. Keys sent to C2 for ransom negotiation. |
| Contact a C2 server | No. Zero network activity. | Yes. Phones home for key exchange and status. |
| Spread laterally | No. Single-host, single-directory. | Yes. SMB, RDP, PsExec to other hosts. |
| Establish persistence | No. No registry, no scheduled tasks, no services. | Yes. Multiple persistence mechanisms. |
| Escalate privileges | No. Runs as current user only. | Yes. Kernel exploits, token manipulation. |
| Disable security tools | No. Makes no attempt to tamper with EDR/AV. | Yes. BYOVD, service kills, safe mode boot. |
| Delete shadow copies | No. | Yes. vssadmin delete shadows /all /quiet |
| Encrypt network shares | No. Local directory only. | Yes. UNC path enumeration and encryption. |
EDR ransomware heuristic testing. Does your endpoint protection detect rapid file encryption, mass extension renames, and ransom note drops? Run the encrypt phase and check whether MDE, CrowdStrike, SentinelOne, or your EDR of choice fires a ransomware behavioural alert.
SOC alert triage. Give your SOC a realistic ransomware alert to triage. Measure time-to-detect, time-to-escalate, and time-to-contain. The simulator generates the same telemetry patterns as a real incident without the real impact.
Controlled Folder Access (CFA) validation. Windows Controlled Folder Access should block unauthorised applications from modifying files in protected folders. Point the simulator at a CFA-protected directory and confirm it gets blocked.
Purple team exercise cards. Use as the execution tool for MITRE T1486 test cards in structured purple team exercises. The two-phase design lets you set up files in advance and trigger the encryption during a live exercise window.
These are the telemetry signals the simulator is designed to generate. Use them to validate your detection stack.
| Layer | What to look for |
|---|---|
| EDR / MDE | Ransomware behavioural alert (mass file modification + extension rename pattern) |
| EDR / MDE | Suspicious file rename activity (bulk .dragonforce_encrypted renames) |
| EDR / MDE | Ransom note file creation (--IMPORTANT--README--.TXT) |
| SIEM | High-entropy file write burst from a single process |
| SIEM | File creation/modification rate anomaly (500 writes in seconds) |
| Windows | Controlled Folder Access block event (Event ID 1123) |
| Windows | AMSI or SmartScreen alert on the compiled binary |
| SOC process | Ransomware playbook activation, escalation to incident commander |
This tool is released for educational and authorised security testing purposes only. It is intended for use by red teams, purple teams, and security professionals operating under a formal scope of work or rules of engagement.
Before running this tool you must have:
- Written authorisation from the system owner
- A defined scope limiting the target directory
- An incident response plan in case the exercise triggers automated containment
- Confirmation that the target directory contains no real data
The author accepts no responsibility for misuse. If you are unsure whether you have authorisation, you do not have authorisation.