From WannaCry to Building My Own Ransomware Lab: A Defensive Cybersecurity Journey

In 2017, the world witnessed one of the most disruptive cyberattacks in modern history: the WannaCry ransomware attack.

Within hours, hospitals, telecom companies, transportation systems, and businesses across more than 150 countries were locked out of their own systems. The attack exploited a Windows vulnerability and encrypted user files, demanding Bitcoin in exchange for recovery.

But beyond the headlines and chaos, one question stayed with me:

How does ransomware actually work under the hood?

Not from a news article.
Not from a YouTube explanation.
But technically, structurally and cryptographically.

That question led me to build a controlled educational project: Ransomware-Lab.

This article explains why I built it, how it works, and what I learned from simulating encryption-based attacks in a safe, isolated environment.

Why Study Ransomware?

Understanding offensive techniques is essential for defensive cybersecurity.

Ransomware typically:

1. Scans for files
2. Encrypts them using strong cryptography
3. Prevents unauthorized decryption
4. Demands payment for recovery

To build effective defenses, you must understand:

• How encryption is implemented
• How keys are generated and stored
• How authentication is validated
• Where implementation mistakes occur

I didn’t want to just read about these mechanisms.

I wanted to implement them safely to understand them deeply.

The Project: Ransomware-Lab (Educational Simulation)

Repository:
https://github.com/Wambita/ransomware-lab

This project is a controlled ransomware simulation built strictly for:

• Educational purposes
• Cryptography practice
• Secure coding exploration
• Defensive security learning

It was tested exclusively inside a virtual machine and targets only user-created test folders.

• No system files.
• No network communication.
• No persistence mechanisms.
• No destructive behavior.

Technical Architecture

Encryption Design

The project uses:

• AES (Advanced Encryption Standard) in CBC mode
• Scrypt for secure password-based key derivation
• Secure random IV generation
• PKCS7 padding

Library used:

cryptography

Encryption Workflow

The encryption process works as follows:

1. Generate a secure recovery token
2. Derive a cryptographic key using Scrypt
3. Encrypt each file in the selected test directory
4. Replace original files with encrypted versions
5. Store the recovery token for verification

Recovery Workflow

Recovery requires:

1. Secure token input using getpass()
2. Input sanitization using .strip()
3. Decryption validation
4. Key re-derivation
5. Controlled decryption

If the token does not match, decryption fails safely.

This simulates real-world authentication validation logic.

Cross-Platform Awareness

The project detects the operating system dynamically using:

platform.system()

It adapts directory paths for:

• Windows
• Linux
• macOS

Importantly, it targets user-level directories only, not system-level folders.

This demonstrates safe scoping and environment awareness.

Security Design Principles Applied

Several intentional security decisions were implemented:

• No hardcoded keys
• Input sanitization
• Explicit directory validation
• Safe error handling
• Virtual machine testing only

The project avoids:

• Network propagation
• Privilege escalation
• Automatic system targeting
• Persistence mechanisms
• Destructive behavior

This is a lab not malware.

What I Learned

1. Cryptography Is Powerful and Easy to Misuse

It’s simple to encrypt files.

It’s much harder to:

• Derive keys securely
• Manage secrets safely
• Prevent implementation flaws
• Handle errors properly

Small mistakes can break security guarantees.

2. Input Handling Is Critical

Using:

token = getpass("Enter the recovery token: ").strip()

Prevents subtle bugs caused by:

• Trailing spaces
• Accidental newline characters
• Copy-paste inconsistencies

Tiny details affect reliability and user experience.

3. Understanding Attacks Improves Defense

After building this simulation, I better understood:

• Why offline backups are critical
• Why patching vulnerabilities matters
• Why endpoint detection is necessary
• Why key management is everything
• Why ransomware is so difficult to reverse without keys

Studying how something breaks systems teaches you how to protect them.

Ethical Reflection

There is an important distinction between:

• Building harmful software and
• Studying harmful mechanisms in controlled environments

This project was built to:

• Learn responsibly
• Practice applied cryptography
• Develop defensive awareness
• Strengthen cybersecurity foundations

All testing was done in isolated virtual machines with disposable test data.

Ethics matter in cybersecurity.

Understanding offensive techniques should always serve defensive goals.

Skills Demonstrated

• Applied cryptography
• Secure key derivation
• Hash-based authentication
• Python systems programming
• Cross-platform scripting
• Secure input handling
• Defensive architecture thinking
• Ethical cybersecurity awareness

Future Improvements

Planned enhancements include:

• HMAC-based file integrity checks
• Logging system for audit tracking
• CLI argument support
• Unit testing coverage
• Dockerized safe lab environment
• Companion detection simulation project *SHA-256 hashing for token verification and hash evaluation.

Final Reflection

The WannaCry ransomware attack showed the world how devastating encryption-based attacks can be.

But fear alone doesn’t build resilience.

Understanding does.

Building this project shifted my mindset from:

“Ransomware is scary.”

to-

“I understand how this works and I know how to defend against it.”

That’s the difference between passive awareness and active security engineering.

Project Repository

https://github.com/Wambita/ransomware-lab