Ransomware Simulator

Users of Core Impact can now efficiently simulate a ransomware attack using an automated Rapid Pen Test (RPT). Given the close association with ransomware and phishing campaigns, the simulator can easily be paired with a phishing campaign RPT for deployment. From there, security teams are then able to mimic the behavior of multiple ransomware families, encrypting user-specified files using a fully reversible symmetric key. They can also exfiltrate files to establish which mission critical data is most at risk after the initial breach is complete.

Additionally, if enabled, the ransomware simulator offers an automatic rollback after a set amount of time, leaving the environment as it was before the attack. If files remain encrypted, this gives defensive utilities a chance for detection and subsequent triggering of corrective actions.

Finally, Core Impact’s ransomware simulator enables the definitive move of most ransomware strains: the ransom note. Security teams can create and leave an explanatory README file once the exercise has been completed. This file will inform a user that they have experienced a ransomware scenario and can prompt them to contact the security team or provide other next steps, such as further training on ransomware and how it can get into your system.

This module accepts a path to a folder to encrypt and runs the encryption on a given target. As any ransomware would do, it allows to select whether to rename the encrypted files or not, exfiltrate data and customize the delivered Readme file. This module can be automatically run after the installation of an Agent to make the attack more realistic or as part of a macro.

Parameters

FOLDER TO ENCRYPT - Remote folder which files will be encrypted.

RENAME FILES - If enabled, the module will rename the files, adding the extension .1mp4ct, in the target directory on the victim machine to replicate the behavior many ransomwares have.

Automatic Decryption/AUTOMATICALLY DECRYPT - If enabled, the module will first encrypt the files and decrypt them afterwards to validate if the AV or EDR detected that behavior.

Automatic Decryption/DELAY TO DECRYPT - Time, in seconds, the files will remain encrypted.

Exfiltration/AUTOMATICALLY EXFILTRATE DATA - If enabled, the files in the folder will be downloaded to the Core Impact server.

Exfiltration/DESTINATION FOLDER -- Local folder where the exfiltrated files will be downloaded.

Readme/LEAVE README - If enabled, the module will leave a README_Ransomware.txt file in the target directory on the victim machine to replicate the behavior many ransomwares have.

Readme/README FILE - Readme file to be left in the target. If a file is not provided a default one will be used in case configured to do so.

You can see Core Impact’s ransomware simulation in action in the overview video below:

Additionally, Outflank Security Tooling's Fake Ransom complements Core Impact's ransomware simulator, enhancing its authenticity to better test incident response.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
21.7 | 202504070612 | April 2025