This documentation provides a comprehensive overview of GhostShot, a framework designed for security researchers and system administrators to simulate ransomware behavior in controlled environments.
Important
DISCLAIMER: This tool is strictly for educational purposes and authorized security testing. Unauthorized use of this tool against systems without explicit permission is illegal and unethical. The author is not responsible for any misuse or damage caused by this software.
GhostShot is a modular ransomware simulation suite. Its primary goal is to help defenders understand the lifecycle of an encryption attack—from file discovery and encryption to Command & Control (C2) communication—thereby enabling the development of better detection signatures and recovery strategies.
The setup process automates the environment configuration, including Python virtual environments and necessary system dependencies like Docker and Go.
-
Clone the Repository:
git clone http://[your-repo-link]/GhostShot.git cd GhostShot -
Initialize Environment:
The
setup.shscript handles the installation of the Python environment, Go (Golang), and Docker. It also initializes the Go project and manages library versions.chmod +x setup.sh ./setup.sh
-
Activate Environment and Run:
source ./venv/bin/activate python FileGenerator.py # Generate test data first python GhostShot.py # Launch the main simulator
Before running a simulation, you need a target dataset. This script populates a directory with dummy data to ensure no real files are harmed during the test.
-
Functionality: Generates dummy information files.
-
Configuration: Folder name and file count are configurable at the start of the script.
This is the main interaction script providing a menu-driven interface for simulation tasks.
-
Process: User inputs a target folder path and a custom password.
-
Mechanism: Uses AES Cipher in CFB mode.
-
Logging: Password and path details are appended to
GhostShot_Output/pass&path.txt. -
Challenges & Solutions:
-
Variable Key Lengths: To ensure a valid 32-byte key regardless of password length, the tool uses a SHA-256 hash of the user password.
-
Recursive Encryption Prevention: To avoid encrypting a file twice, the tool appends a suffix (e.g.,
important.txt.hacked).
-
-
Process: Reverses the AES-CFB encryption using the provided password.
-
Challenge: Ensuring data integrity. If a user manually modifies an encrypted file before decryption, the tool reports a "failed count" but will not attempt a corrupted recovery to prevent further data loss.
-
Functionality: Simulates the exfiltration phase (Double Extortion).
-
Mechanism: Establishes a TCP Socket Stream to a specified IP/Port.
-
Challenge: Separating file data in a stream. The solution implements a "Connection per File" protocol to maintain file integrity during transfer.
GhostShot can compile a standalone ransomware binary written in Go. Go was selected for its cross-compilation capabilities and ease of GUI implementation (using libraries like Fyne).
To simulate modern, sophisticated ransomware, the generator utilizes a Hybrid Encryption scheme.
| Challenge 😐 | Technical Solution 😏 |
|---|---|
| Offline Encryption: How to encrypt without sending the key to a server immediately? | RSA (Asymmetric): Generate an RSA key pair. The public key is embedded in the binary to encrypt the session keys. |
| Performance: RSA is too slow for large files. | AES-GCM (Symmetric): Use AES-GCM for the actual file data for high speed and integrity. |
| Memory Forensics: Recovery of the AES key from RAM. | One Key Per File: Every file is encrypted with a unique AES key. These keys are then encrypted with RSA and stored in AllKey.txt. |
| System Stability: Avoiding OS "bricking" (which prevents the victim from paying). | Exclusion List: The engine skips .dll, .log, .mui, and AllKey.txt files to keep the OS functional. |
This script acts as the receiver for exfiltrated data and session keys.
-
Operation: Listens on a specified IP/Port for incoming TCP connections.
-
Protocol Logic: To handle file metadata correctly, the server follows a two-step receive process:
-
Header: The client sends the filename first.
-
Payload: The client then streams the file content.
-
-
Dynamic Generation: The Ransomware Generator allows the user to configure unique C2 IP addresses, ports, and RSA keys for each binary to simulate different "campaigns."
Distributed under the TOE license. See LICENSE for more information.