Stockholm

Home / Portfolio

Description

Stockholm: understanding ransomware from the inside

Within the 42Madrid cybersecurity bootcamp, the Stockholm project represents an interesting step toward the more offensive (and delicate) side of information security. The goal is simple in concept but powerful in practice: understand how ransomware works by implementing it yourself—always for educational purposes and within controlled environments.

Stockholm forces you to think like an attacker in order to become better at defending your systems.

⚠️Important warning

Before diving in, a few things must be crystal clear:

  • This program was developed exclusively for educational purposes.

  • The use and distribution of this tool are the sole responsibility of whoever runs it.

  • The program only affects files, in a controlled manner, located in the ~/infection directory.

  • When files are encrypted, a totem.key file is generated containing the encryption key.
    👉 If you lose this file, there is no way back.

  • Running the project inside a Docker container or a virtual machine is strongly recommended.

In short: experiment, learn… but do it safely 🧯.

🧩Project objective

The purpose of Stockholm is to build a small program with a clear impact: mass file encryption, simulating the basic behavior of a real ransomware.

The program must:

  • Run on Linux or macOS systems.

  • Scan the /home/$user/infection directory and all its subdirectories.

  • Detect files with extensions similar to those targeted by the WannaCry ransomware.

  • Encrypt those files using a secure cryptographic algorithm.

  • Rename encrypted files by appending the .ft extension.

While network propagation is not part of the scope, the project helps you understand how this kind of attack can cause serious damage if proper security measures are not in place.

🔐Cryptography and security

The project is written in Python, using the cryptography module—specifically its Fernet implementation.

Fernet relies on the AES (Advanced Encryption Standard) algorithm, one of the most widely used and robust encryption standards today:

  • AES-128

  • AES-192

  • AES-256

AES is used by both private companies and government agencies, which gives a good indication of the security level it provides.

In the case of Stockholm:

  • The program scans the infection directory.

  • It builds a list of target files.

  • Each file is encrypted using AES via Fernet.

  • The encryption key is stored in totem.key.

When the decryption mode is executed, the process is reversed—as long as:

  • The files have not been modified.

  • The totem.key file remains intact.

🧪Testing with Docker

To minimize risks, the project includes Docker support, allowing you to test everything safely.

The recommended workflow is:

  • Install Docker Desktop.

  • Use the Makefile to build the image and start the container.

  • Run the test scripts inside the isolated environment.

  • Test the generated binary against sample files.

This setup lets you experiment freely without putting your real system at risk.

🚀Conclusion

Stockholm is a project that is as sensitive as it is fascinating. It allows you to:

  • Understand how real ransomware works from the inside.

  • Learn applied cryptography (AES, Fernet).

  • Work with recursive file system traversal.

  • Apply good testing practices in isolated environments.

  • Gain real awareness of the impact of encryption-based attacks.

A key project for anyone looking to go deeper into both offensive and defensive cybersecurity 🔐💻.

📌 Source code available on GitHub

Details