A professional, education-focused ransomware behavior simulator built with Python and PySide6.
This project demonstrates the ransomware attack lifecycle visually without performing any real encryption. It is designed for cybersecurity awareness sessions, demos, and classroom training.
The simulator helps demonstrate:
- How ransomware discovers and processes victim files
- How attack progress appears from both attacker and victim views
- Why backups and incident response processes are critical
- How recovery can be performed in a controlled scenario
This project is intentionally safe.
- No cryptographic encryption is applied to file contents
- No scanning of user home folders or external paths
- No modifications outside
demo_victim_files/ - "Encryption" is simulated by renaming files with
.locked - "Decryption" is simulated by renaming files back to original names
- Python 3.10+
- PySide6 (GUI)
threading(simulation flow)sqlite3(attack timeline logs)pathlib/os(filesystem operations)psutil(system telemetry panel)
- Status panel with files found, files encrypted, progress, and countdown
- Terminal-style attack feed
- Timeline log panel for event history
- Victim system information (computer name, OS, username, CPU, memory)
- Custom computer/network propagation graphics
- Animated links and packet movement
- Live infection-state visualization tied to attack progress
- Two-pane explorer layout:
- Left: folder navigation tree
- Right: detail grid (Name, Type, Status, Path)
- System-style folder/file icons
- File-type color cues
- Lock/unlock status updates in real time during attack and recovery
- Full-screen Windows-style ransom interface
- Countdown timer and wallet info
- Button:
Pay Ransome & get decryption key - Key display/input workflow
- Key validation required before decryption simulation starts
- Decrypt flow restores all
.lockedfiles - Demo controls include:
- Start Attack
- Pause/Resume Simulation
- Reset Demo
- Decrypt Files
- Generate New Victim Files
- Structured timeline event logging to SQLite
- Useful for replay, reporting, and educational walkthroughs
ransomware_simulator/
main.py
simulator.py
file_generator.py
encryption_simulator.py
recovery_engine.py
system_info.py
database.py
requirements.txt
ui/
dashboard.py
controls.py
ransom_screen.py
computer_graphics.py
victim_explorer.py
demo_victim_files/
database/
events.db
- Generate 30-50 demo files across subfolders (Documents/Pictures/Finance/Work/Personal)
- Start attack simulation
- Discover files recursively under
demo_victim_files/ - Simulate encryption by renaming files to
.lockedwith realistic delays - Create
READ_ME_NOW.txt - Show ransom screen
- Simulate payment to generate a decryption key
- Submit valid key to trigger decryption simulation
- Restore file names back to original
- Create/activate a Python environment
- Install dependencies:
pip install -r requirements.txtFrom the ransomware_simulator folder:
python main.pyDatabase file:
database/events.db
Table:
events
Columns:
id(INTEGER PRIMARY KEY AUTOINCREMENT)timestamp(TEXT)event_type(TEXT)description(TEXT)
Common event types include:
ATTACK_STARTEDFILE_DISCOVEREDFAKE_KEY_GENERATEDFILE_ENCRYPTEDRANSOM_NOTE_CREATEDPAYMENT_CONFIRMEDDECRYPTION_KEY_ISSUEDKEY_ACCEPTEDRECOVERY_STARTEDFILE_RESTOREDRECOVERY_COMPLETED
Only this folder is ever modified:
demo_victim_files/
Nothing outside that folder is targeted by simulation logic.
- If launch fails, verify you are in the correct folder before running
python main.py - If dependencies are missing, rerun
pip install -r requirements.txt - If a previous run was interrupted, use Reset Demo to regenerate a clean victim state
This software is for authorized cybersecurity education and training only. Do not use it to imitate or facilitate malicious activity on real systems.