Files
kosta-dev 4cf11b7bc0 Delete examples/ransomware/create_dataset.py
delete create_dataset.py
2025-05-27 18:25:51 -04:00
..
2025-05-27 18:24:57 -04:00
2025-05-27 18:19:11 -04:00

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Linux Ransomware Simulation Scripts

## Overview

The files in the `zvml-python-sdk/examples/ransomware` folder provide a set of scripts to simulate a ransomware-style
**encryption and decryption event** on a Linux VM. It is designed for use with **Zerto 10.0 U1+ (ZVML)** to demonstrate
ransomware detection and alerting capabilities—**without requiring any OVF templates or pre-built Windows VMs**.

This is a lightweight, Linux-native alternative to [RanSim](https://github.com/lawndoc/RanSim), ideal for fast
deployment and testing in Zerto-protected environments.

---

## Purpose

- Simulate encryption of user files to trigger Zertos ransomware detection engine.
- Demonstrate how ZVM (Zerto Virtual Manager) identifies abnormal encryption behavior.
- Provide a reversible, easy-to-run simulation environment using shell scripts.

---

## Prerequisites

- A Linux VM (Debian, Ubuntu, Rocky, RHEL, etc.)
- Zerto ZVML (Zerto Virtual Manager Linux) **10.0 U1 or later**
- A running VRA protecting the VM
- The VM must be part of an existing **Virtual Protection Group (VPG)**
- SSH or console access with write and execute permissions

---

## ZVM Tuning Parameters (Required)

Add the following parameters to `tweaks.txt` on your **ZVM appliance**, or apply them using ZVMs backend interface:

```ini
t_ransomwareAttackThreshold=2
t_ransomwareEngTrainPeriodSec=60
t_ransomwareEngCuSumThrsDiff=5
t_ransomwareEngCuSumThrsSec=60
t_ransomwareEngAvgTimeSec=180
t_ransomwareEngCuSumTimeSec=2
```

> **IMPORTANT**: Restart the ZVM appliance (or the VM it's running on) to apply these changes.

---

## Recommended VM Configuration

- At least **90 GB** of total disk space
- Simulation dataset size: **~2 GB**

---

## Simulation Instructions

### 1. Clone the repository

```bash
git clone https://github.com/your-org/zvml-python-sdk.git
cd zvml-python-sdk/examples/ransomware
```

### 2. Create the test dataset

This command creates a folder containing 2000 files, each 1MB in size:

```bash
mkdir important-files
./create_data_set.sh 1M 2000 important-files
```

You can modify the size and number of files as needed.

### 3. Encrypt the dataset (simulate ransomware)

This encrypts all files in the folder using `openssl` and appends an `.encrypted` extension:

```bash
./encrypt_files_recursive.sh ./important-files yourkeyword encrypted
```

- `yourkeyword`: your encryption password
- `encrypted`: file extension to be appended (e.g., `.encrypted`)

> Within **30 to 60 seconds**, ZVM should detect abnormal behavior and trigger an alert.

### 4. Decrypt the dataset (restore files)

To reverse the simulation and restore the original files:

```bash
./decrypt_files_recursive.sh ./important-files yourkeyword encrypted
```

---

## Notes

- These scripts use `openssl` for AES-256 encryption.
- Make sure `openssl` is installed (`apt install openssl` or `yum install openssl` as needed).
- All operations are local to the Linux VM — no outbound internet or services required.
- You can modify or extend the scripts for more advanced or varied encryption behavior if needed.

---

## Disclaimer

This simulation is provided **for demonstration and educational purposes only**.  
Do **not** use these scripts on production systems or with sensitive/real data.  
Only use in controlled, isolated lab environments. Always inspect and understand what a script does before execution.

---

## Credits

- Based on concepts from [lawndoc/RanSim](https://github.com/lawndoc/RanSim)
- Adapted for Linux-based Zerto simulation environments by [Your Name or Team]