LIMITED OFFER
Get up to ₹1,000 OFF
Use coupon MYProject when you book via WhatsApp/Call. We don’t sell online.
Python • Watchdog • PyCryptodome • ML
Ransomware Behaviour Simulation & Prevention – Sandbox, Detect, Block, Recover
Safely simulate ransomware-like encryption, monitor filesystem events, detect mass-encrypt behavior, and auto-prevent damage with backups and process blocking — all in a controlled lab.
- ✓Sandboxed AES/XOR encryption demo (no real system risk)
- ✓Real-time behavior detection (rename rate, extension bursts)
- ✓Automatic kill + quarantine + restore from secure backups
Delivery in 3–5 days • Pan-India support
*Demo video placeholder. Replace with your link.
1. Introduction
The Ransomware Behaviour Simulation & Prevention Tool is a Python-based cybersecurity project to study, simulate, and mitigate ransomware in a safe sandbox. It mimics encryption behavior, observes system impacts, and deploys real-time prevention like process blocking and automated recovery from secure backups. Ideal for hands-on learning and practical defense testing.
2. Existing System vs Proposed System
Existing System
- Signature-based AV misses polymorphic variants.
- Limited or no behavioral visibility.
- No safe lab to analyze attack flow.
Proposed System
- Sandboxed file-encryption simulation (AES/XOR).
- Behavioral detection (mass-encrypt, rename spikes).
- Auto-prevention: kill, quarantine, backup-restore.
- Optional ML classifier for process risk.
- Detailed incident report & logs.
3. Working
- Simulation Module: Creates a sandbox and encrypts sample files with AES/XOR.
- Monitoring Module: Watchdog tracks file creates/renames/extension bursts.
- Behavioral Detection: Flags mass encryption rates, suspicious write patterns.
- Alert & Prevention: Terminates process, quarantines directory, isolates keys.
- Recovery: Restores originals from backup store.
- Report: Generates summary with indicators and actions taken.
4. Technology Stack
- Language: Python
- Libraries: os, shutil, hashlib, psutil, watchdog, PyCryptodome, pandas, scikit-learn
- Algorithms: AES for simulation; Random Forest/SVM for detection
- Database: SQLite3/CSV for logs & threat history
- Interface: Tkinter or Flask dashboard
- Platform: Windows/Linux sandbox
5. Modules
Ransomware Simulation
Safe AES/XOR demo.
- Sandbox-only operations
- Configurable targets
File Monitoring
Real-time events.
- Watchdog observers
- Extension/rename spikes
Behavior Analysis
Heuristics + ML.
- Rate thresholds
- RF/SVM models
Prevention
Stop & quarantine.
- Kill PIDs (psutil)
- Isolate artifacts
Backup & Recovery
One-click restore.
- Versioned backups
- Integrity checks (hash)
Logging & Reporting
Traceable audits.
- SQLite/CSV
- Incident reports
6. Advantages
- Safe hands-on ransomware lab with zero system risk.
- Behavior-first approach catches novel variants.
- Real-time alerts and automatic prevention.
- Deep learning for cybersecurity students & teams.
- Foundation for next-gen endpoint protection.
7. Applications
- Academic labs & research on ransomware behavior.
- Security training for IT professionals.
- Sandbox testing for AV/EDR models.
- Enterprise readiness drills & tabletop exercises.
- Awareness demos for non-technical audiences.
Python Integration Sketch (Watchdog + PyCryptodome + ML)
import os, time, shutil, hashlib, psutil, sqlite3
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
import joblib # for RandomForest/SVM model (optional)
SANDBOX = "sandbox/"
BACKUP = "backup/"
DB = "events.db"
THRESH_FILES_PER_MIN = 40 # example threshold for mass-encrypt behavior
def encrypt_file(path, key):
# AES-CTR demo encryption (sandbox only)
with open(path, "rb") as f: data = f.read()
cipher = AES.new(key, AES.MODE_CTR)
ct = cipher.encrypt(data)
with open(path + ".enc", "wb") as f: f.write(cipher.nonce + ct)
os.remove(path)
def simulate_encryption():
key = get_random_bytes(16)
for root,_,files in os.walk(SANDBOX):
for name in files:
if not name.endswith(".enc"):
encrypt_file(os.path.join(root,name), key)
time.sleep(0.05) # pacing for demo
class RansomEventHandler(FileSystemEventHandler):
def __init__(self):
self.events = []
self.last_min = int(time.time() // 60)
def on_modified(self, event):
self.track(event)
def on_created(self, event):
self.track(event)
def track(self, event):
now_min = int(time.time() // 60)
if now_min != self.last_min:
self.evaluate_rate()
self.events.clear()
self.last_min = now_min
self.events.append(event.src_path)
def evaluate_rate(self):
rate = len(self.events)
if rate > THRESH_FILES_PER_MIN:
alert_and_prevent("Mass encryption rate detected")
def alert_and_prevent(reason):
# Kill suspected processes (demo: own PID)
for p in psutil.process_iter(["pid","name","cmdline"]):
try:
if "python" in (p.info["name"] or "").lower():
p.terminate()
except Exception:
pass
# Quarantine sandbox
shutil.make_archive("quarantine", "zip", SANDBOX)
# Restore from BACKUP
restore_from_backup()
log_incident(reason)
def restore_from_backup():
if os.path.exists(BACKUP):
for root,_,files in os.walk(BACKUP):
for name in files:
src = os.path.join(root,name)
dst = src.replace(BACKUP, SANDBOX)
os.makedirs(os.path.dirname(dst), exist_ok=True)
shutil.copy2(src, dst)
def log_incident(msg):
conn = sqlite3.connect(DB)
cur = conn.cursor()
cur.execute("CREATE TABLE IF NOT EXISTS incidents(ts INTEGER, msg TEXT)")
cur.execute("INSERT INTO incidents VALUES(?,?)", (int(time.time()), msg))
conn.commit(); conn.close()
if __name__ == "__main__":
# Setup backup first, then run Observer + optional simulate_encryption()
handler = RansomEventHandler()
obs = Observer(); obs.schedule(handler, SANDBOX, recursive=True); obs.start()
try:
simulate_encryption() # for demo only
while True: time.sleep(1)
except KeyboardInterrupt:
obs.stop()
obs.join()
Delivery includes safe sandbox scripts, Watchdog monitoring, AES/XOR simulators, prevention & recovery flows, SQLite reporting, optional ML classifier, and Flask/Tkinter dashboards.
What You Get
| Item | Included | Notes |
|---|---|---|
| Python Source Code | ✅ | Simulation + Monitoring + Prevention |
| AES/XOR Demo Encryptors | ✅ | Sandboxed only |
| Behavior Detection Engine | ✅ | Thresholds + optional ML |
| Backup & Recovery | ✅ | Versioned restore flow |
| Flask/Tkinter UI | ✅ | Controls, logs, graphs |
| Demo Video | ✅ | Setup & working walkthrough |
| Report & PPT | ✅ | College-format templates |
| Support | ✅ | Installation + viva Q&A (1 month) |
FAQs — Ransomware Simulation & Prevention
No. The simulator targets only a designated sandbox folder with sample files. Backups are kept separately for safe restores.
Not for simulation/monitoring. Some prevention actions (like killing protected processes) may require elevated permissions.
Yes. Thresholds, extension blocklists, and ML features are configurable. You can plug in additional detectors and response actions.
Want a hands-on ransomware lab?
Get the Simulation & Prevention Tool with code, demo, docs, and support.
WhatsApp Us Now