Back to Articles
Developer Tools

Ransomwhere: A Go-Based Ransomware Simulator for Testing Your Incident Response Strategy

★ 212 Go 88/100 May 11, 2026
Rob Ragan
Rob Ragan Offensive security researcher and AI agent architect. Founder of Starlog.
[ View on GitHub ]

Ransomwhere: A Go-Based Ransomware Simulator for Testing Your Incident Response Strategy

Hook

Most organizations don't discover their backups are corrupted until ransomware strikes—by which point it's already too late to fix your response plan.

Context

Security teams face a paradox: they need to test ransomware defenses without deploying actual malware that could escape containment or trigger legal issues. Traditional approaches involve either expensive commercial simulation tools or the dangerous practice of detonating real malware samples in supposedly isolated environments. Neither option is ideal—commercial tools often lack the flexibility needed for custom scenarios, while real malware introduces catastrophic risk if isolation fails.

Ransomwhere emerged as a middle path: a simple, transparent proof-of-concept written in Go that exhibits core ransomware behaviors without the complexity, obfuscation, or malicious intent of real threats. Created by Niels Hofmans (hazcod), it's designed explicitly for blue teams who need to validate detection rules, test backup restoration procedures, and train incident responders in realistic but controlled scenarios. The tool's open-source nature means security teams can audit every line, modify behaviors for specific test cases, and deploy it without vendor licensing concerns.

Technical Insight

Ransomwhere's architecture reflects a deliberate choice for simplicity over sophistication. The core implementation consists of filesystem traversal logic coupled with standard Go cryptographic libraries—no exotic techniques, no anti-analysis tricks, just straightforward encryption that mimics the fundamental behavior attackers use to hold data hostage.

The encryption routine uses AES-256 in CTR mode with a user-supplied password that's stretched using scrypt for key derivation. When you run Ransomwhere in encrypt mode, it walks the specified directory tree and processes each file in place:

// Simplified example of the encryption approach
func encryptFile(filePath string, key []byte) error {
    plaintext, err := ioutil.ReadFile(filePath)
    if err != nil {
        return err
    }
    
    block, err := aes.NewCipher(key)
    if err != nil {
        return err
    }
    
    nonce := make([]byte, 12)
    if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
        return err
    }
    
    aesgcm, err := cipher.NewGCM(block)
    if err != nil {
        return err
    }
    
    ciphertext := aesgcm.Seal(nonce, nonce, plaintext, nil)
    
    return ioutil.WriteFile(filePath + ".encrypted", ciphertext, 0644)
}

This straightforward implementation means detection systems should catch Ransomwhere through standard behavioral monitoring—rapid sequential file modifications, cryptographic API calls, and filesystem enumeration patterns. If your EDR or SIEM doesn't alert on this activity, you've identified a critical gap in your defenses before a real attack occurs.

The tool supports several flags that enable progressively destructive testing scenarios. The --delete flag removes original files after encryption, simulating attackers who want to eliminate recovery options. The --wipe-snapshots flag attempts to delete local filesystem snapshots using platform-specific commands (like VSS on Windows or Time Machine on macOS), mimicking a common ransomware technique for preventing easy rollback. These behaviors are opt-in, giving operators granular control over risk during testing.

Decryption reverses the process using the same password, reading the encrypted files and restoring original content. The symmetric nature of this operation is intentional—it allows repeatable testing cycles where the same dataset can be encrypted, detection systems validated, then decrypted for the next test run. This is fundamentally different from real ransomware, which typically uses asymmetric cryptography where only the attacker holds the private decryption key.

From a testing perspective, Ransomwhere's value lies in its predictability. You can script scenarios like: encrypt a directory tree at 2 AM when monitoring staff are less attentive, measure time-to-detection, validate alert escalation paths, and verify that your backup restoration procedures actually work under pressure. The tool's simplicity means test results reflect your defensive capabilities rather than the sophistication of the attack simulator itself.

Gotcha

Ransomwhere's simplicity is both its strength and primary limitation. The tool lacks numerous behaviors that characterize modern ransomware campaigns, which means passing a Ransomwhere test doesn't guarantee you're protected against real-world threats. It doesn't perform network reconnaissance, lateral movement, credential theft, or communication with command-and-control infrastructure. Detection systems that rely on network behavioral analysis won't be exercised at all.

The encryption implementation uses symmetric keys derived from user-provided passwords, with no attempt at realistic key management. Real ransomware generates unique encryption keys per victim, exfiltrates them to attacker infrastructure, and often employs hybrid encryption schemes where file encryption keys are themselves encrypted with asymmetric cryptography. This means Ransomwhere won't test your ability to respond to scenarios where decryption is impossible without attacker cooperation. Additionally, the tool provides no obfuscation, anti-debugging, or persistence mechanisms—it runs as a standard user-space process that's trivial to detect and kill. If your testing objective includes validating defenses against evasive or polymorphic malware, you'll need more sophisticated tooling or actual malware samples in properly isolated environments.

Verdict

Use if: You need a simple, auditable tool to validate basic ransomware detection capabilities, test backup restoration procedures, or train junior incident responders in controlled lab environments. Ransomwhere excels at answering fundamental questions like 'Do our file integrity monitors actually alert?' and 'Can we restore from backups within our RTO targets?' It's particularly valuable for organizations just building their security testing programs who need safe, repeatable scenarios without complex setup. Skip if: You're testing advanced EDR capabilities, need to validate defenses against sophisticated attacker techniques like credential theft or lateral movement, or require realistic C2 communication patterns. Ransomwhere's lack of evasion techniques and network behaviors means mature security programs should graduate to frameworks like Atomic Red Team or MITRE Caldera that can simulate complete attack chains rather than isolated ransomware encryption.

// RELATED

Developer Tools

Open Interpreter: Running GPT-4 with Root Access to Your Machine

By Rob Ragan ★ 63.9k Unknown Jun 9, 2026
Developer Tools

Accomplish: Why Wrapping OpenCode Instead of Building an Agent Runtime Was the Right Bet

By Rob Ragan ★ 10.8k Unknown Jun 10, 2026
Developer Tools

NVIDIA Cosmos: A Case Study in Strategic Repository Deprecation

By Rob Ragan ★ 8.1k Unknown May 25, 2026
Developer Tools

How Ripgrep Makes Searching 10x Faster Than Grep: A Deep Dive Into Rust-Powered Text Search

By Rob Ragan ★ 63.7k Unknown May 14, 2026
Developer Tools

Open Interpreter: Running GPT-4 with Root Access to Your Machine

By Rob Ragan ★ 63.9k Unknown Jun 9, 2026
Developer Tools

Accomplish: Why Wrapping OpenCode Instead of Building an Agent Runtime Was the Right Bet

By Rob Ragan ★ 10.8k Unknown Jun 10, 2026
Developer Tools

NVIDIA Cosmos: A Case Study in Strategic Repository Deprecation

By Rob Ragan ★ 8.1k Unknown May 25, 2026
malwarepocransomware
// ADD TO YOUR README
Featured on Starlog 
[![Featured on Starlog](https://starlog.is/api/badge/developer-tools/hazcod-ransomwhere.svg)](https://starlog.is/api/badge-click/developer-tools/hazcod-ransomwhere)