- Command-line executable that will emulate common ransomware functions for the purpose of testing endpoint detection and response tools.
- Version: 0.8
- Type "help" (without quotes) inside the emulator prompt to get a list of all the available options.
- About the tool: https://blog.fraktal.fi/
- About the authors: https://www.fraktal.fi
- Open the .sln solution file in Visual Studio (developed with VS 2019 and VS 2017).
- To add/modify functions:
- Add the corresponding option in the "options" class;
- Add the corresponding option in the "Run" function;
- Add the corresponding option in the switch inside the main function;
- Create the corresponding function.
- Dependencies:
- ILMerge NuGet package.
- ILMerge.MSBuild.Tasks NuGet package.
- Figgle NuGet package.
- TaskScheduler NuGet package.
The tool is not designed as destructive. Still, we cannot anticipate how various endpoint protection tools respond to running it. For this reason we do not recommend running the tool in any critical or production system.
Fransom incorporates code and functionality from the following open source offensive .NET tools:
- Process injection mechanisms are from C# Memory Injection Examples project by pwndizzle.
- LSASS dumping implementation is from https://github.com/GhostPack/SharpDump by harmj0y. SharpDump is licensed under the BSD 3-Clause license, available here.
- calc.exe shellcode is from win-exec-calc-shellcode by Berend-Jan "SkyLined" Wever and Peter Ferrie. Copyright.
- Process Hollowing implementation is from Simple Process Hollowing C# by smgorelik.