Abstract

CredLock is a controlled and isolated ransomware simulation environment for companies to safely replicate their environments for ransomware testing. Many organizations lack realistic and low risk ways to simulate ransomware in their environment. This provides a solution to evaluate detection and response without risking any real machines. CredLock simulates ransomware activity using AES-256 encryption and file renaming with various modes. The system operates in a Windows Azure virtual environment, utilizing a Python script to generate realistic ransomware attacks. Preinstalled on the virtual machine is sysmon, a Windows monitoring tool. Sysmon is configured to collect and log activity related to a ransomware attack. A report is then generated grading the environment on how well it protected against the ransomware attack. CredLock functions as both a training tool and research platform for IT professionals while keeping live environments separated and safe.