Menu

RanSim

Avatar
Katie Brennan
Updated
Follow

RanSim Product Manual

RanSim is a tool that simulates the behavior of ransomware. The purpose of RanSim is to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.

Note:

It is important to NOT turn off your antivirus at any point during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

To learn about this product, read the below tutorial or watch this brief RanSim video.

Jump to:
System Requirements
How to Install RanSim
Launching RanSim
Technical Components
How it Works
 Test Scenarios
False Positive Scenarios
Operational Aspects
Frequently Asked Questions (FAQs)

 

System Requirements

RanSim is an application meant to run on workstations running Microsoft Windows 7 OS or newer. It requires the machines to have:

  • Two processors (at least)
  • 2 GB RAM (at least)
  • 100 MB free HDD space
  • Internet connection
  • RanSim is developed on top of .NET Framework 4.0 which is a prerequisite for running the tool.

We recommend that you run RanSim on a workstation which is set up the same as your users (including the same programs and/or security software that you already have in place).

Back to top

 

How to Install RanSim

  1. Ensure the workstation you are running RanSim on meets the system requirements, then download and install RanSim.


RanSim Download Screen

After downloading the RanSim zip file, you will need to launch the RanSim installer to begin the installation. To do this, see the steps below:

  1. Double-click the ransim.zip file in File Explorer.
  2. Double-click the SimulatorSetup.exe file.
  3. A password prompt will appear. Here, enter knowbe4. This will launch the RanSim installer.

Note:

If your anti-virus product blocks the installation or launch of the product, see here (letter A and B for more information).

Back to top

 

Launching RanSim

  1. Once installed, click Launch to launch RanSim. Or, you can double-click the KnowBe4 Ransomware Simulator icon on your desktop.

    RanSim Installation/Launch Screen

 

  1. Click the Check Now button to get started. After clicking, RanSim will run sixteen separate infection scenarios which will simulate different types and methods of ransomware. It will also run two "false positive" scenarios, both of which your antivirus should allow to run. The name and description of each scenario will be shown on the user interface.


    RanSim User Interface


    Active RanSim Simulation

 

  1. After the simulations are completed, a results screen will show if your system is vulnerable or not, based on each of the 16 scenarios. You will also see if your antivirus blocked either "false positive" scenario. As well, there will be a count of how many files would have been vulnerable if an actual ransomware attack had occurred.


    Results Screen


If you'd like, you can perform additional checks by clicking the Check Now button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.

Back to top

 

Technical Components

Installation package

Part of the RanSim installation process is the automatic deployment of .NET Framework Client 4.0 (if it is not already present on the machine). If not already present, the .NET Framework component will be downloaded and installed automatically.

Once the installation is complete, the product will be installed under the C:\Users\[[username]]\AppData\Local\RSimulator folder and will start the main interface of the product.

  • User Interface (UI)
    • The UI will start by running Ranstart.exe.
  • Starter
    • Starter.exe prepares the test environment and starts each simulated scenario.
  • Collector
    • Collector.exe collects results from each simulation and prepares the information to be used by the user interface.
  • Tests
    • RanSim currently runs fifteen ransomware simulation scenarios and one cryptomining scenario. Each simulation runs by an independent executable. The names of the executables are different each time they launch. These executables are located under corresponding Local\RSimulator\TestFolder\Tests\<xx-Tests> folders.
  • Directory structure
    • RanSim is installed under the logged-in user's Local folder. Here is the structure of this folder and subfolders:

      Folder

      Description

      RSimulator

      This is the main installation folder and contains the three main executables described earlier in this document

      RSimulator\TestFolder

      Represents the simulated environment that is created automatically by Starter.exe

      RSimulator\TestFolder\TestFiles

      This is the location where the simulation files are located

      RSimulator\TestFolder\Tests

      This is the folder that contains the simulation scenarios

      RSimulator\TestFolder\Tests\xx-Tests

      Each scenario has a folder where its executable is located. This folder is assigned a number (e.g. Local\RSimulator\TestFolder\Tests\<xx-Tests>)

      RSimulator\TestFolder\TestFiles\xx-Tests

      Each scenario contains a copy of the simulation files. These copies are located under the corresponding <xx-Tests> folder

Back to top

 

How it Works

When Ranstart.exe (the UI) executes for the first time, it will call Starter.exe to present the list of scenarios. After the scenario list loads, Ranstart.exe will call the starter again to start the simulations.

When the first simulation launches, Starter.exe will automatically create the test environment (the TestFolder folder and its contents), and for each scenario it will launch the corresponding simulation executable from the Tests folder. The test files and the test executables are embedded in Starter.exe.

A simulation is complete when all of the executables finish their execution (whether successfully or not). The Collector.exe will then collect the results for each executable and will prepare the data to be presented by the UI. Once the results are available, the UI will display the results.

For each subsequent pass, Starter.exe will recreate the simulation environment, except for the Local\RSimulator\TestFolder\TestFiles which will remain the same.

Back to top

 

Test Scenarios

Test Description Example
Collaborator Simulates complex ransomware which encrypts files using multiple processes. In this scenario, the main executable calls on other processes (different cmd.exe processes running different commands) to enumerate the files to encrypt, move, and delete the original files. The main scenario only performs the encryption on temporary files. The rest of the operations are handled by the other processes. Currently, no specific example of this complex scenario exists. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
CritroniVariant Simulates ransomware which encrypts files using an uncommon attack pattern. Critroni or CBT
Injector Encrypts files by injecting the encryption code into a legitimate process using a common approach (DLL injection).  Gandcrab
InsideCryptor Simulates ransomware which encrypts files and writes the encrypted data inside the original file, by replacing most of the original content starting from offset 512, so that the original 512 bytes of the file are preserved. PClock
LockyVariant Simulates a recent Locky variant (just the file actions, not the encryption algorithm). Locky
Mover Simulates ransomware which encrypts files and places them to a subfolder of the original folder. Alpha
Reflective Injector Encrypts files by injecting the encryption code into a legitimate process using an advanced approach (file-less, reflective injection).  Chimera, Rokku
Replacer Simulates an attack performed by a class of ransomware which overwrites the content of files having certain extensions (e.g. docx, xlsx, pptx, pdf, png, jpg) with predefined content in the same format as the original files, and then asks users to pay a ransom to be able to restore the original content of the original files. Users who fall victim to such type of ransomware have no guarantee they will be able to get their files back because the replacement doesn’t imply the original content is also preserved (encrypted or not). DirCrypt
RigSimulator Simulates cryptomining which mines cryptocurrency (Monero) using the CPU of the machine. XMRig
Streamer Simulates ransomware which encrypts multiple files and writes the encrypted data into a single file (the concept is similar to the concept of zipping multiple files into a single archive). Bart
StrongCryptor Simulates an attack performed by most of the ransomware. For each test file, the simulator creates a new file which contains the encrypted content of the original file, then it safe deletes (overwrites the content and the deletes) the original file. Encryption is performed using AES. CryptoLocker variant without net communication.
StrongCryptorFast Simulates an attack performed by many ransomware. For each test file, the simulator creates a new file which contains the encrypted content of the original file. After all test files have been processed, they are all deleted so that only the encrypted versions remain available on the system. Encryption is performed using AES. CryptoLocker, except encryption and removal of the original content are applied separately for multiple files.
StrongCryptorNet Simulates an attack performed by many ransomware variants. For each test file, the simulator generates a new file which contains the encrypted content of the original file, then it deletes the original file. Encryption is performed using AES. In this scenario, the simulator also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key. CryptoLocker variant with command-and-control server communication.
ThorVariant Simulates a Thor variant (just the file actions, not the encryption algorithm). Thor
VirlockVariant Simulates very complex ransomware. Unlike the other scenarios, this one relies on a “watchdog” process which is started by the main scenario. If the main scenario is blocked, the watchdog will recreate it and restart it. Virlock
WeakCryptor Simulates an attack performed using a very weak type of encryption. For each test file, the simulator creates a new file which contains the encrypted content of the original file, then it deletes the original file. Encryption is simulated by compressing the original content using GZip and then replacing the first byte of the result (0x1F) with 0x00. TeleCrypt

Back to top

 

False Positive Scenarios

These scenarios do not emulate ransomware and should not be blocked by your antivirus. If either of these two scenarios is blocked, it will be reported as “incorrectly blocked” in your results. 

  • Archiver
    • Archives the test files using gzip.
  • Remover
    • Deletes the test files.

If a false positive scenario is incorrectly blocked, it will be shown in the INCORRECTLY BLOCKED count rather than the VULNERABLE/NOT VULNERABLE count. For example, if your security software blocks all 16 scenarios, your results should look like this:

  • VULNERABLE 0/16
  • NOT VULNERABLE 16/16
  • INCORRECTLY BLOCKED 2/2

Ideally, your security software should only block the 16 ransomware scenarios and allow the false positives scenarios to execute without issue, your results should look like this:

  • VULNERABLE 0/16
  • NOT VULNERABLE 16/16
  • INCORRECTLY BLOCKED 0/2

If the false positive scenarios are blocked, your overall results will not be a reliable measure of the effectiveness of your security software. There is no fix we can provide to prevent the false positive scenarios from being blocked. 

Back to top

 

Operational Aspects

Each time the simulation environment is recreated, the test executables use antivirus evading techniques, just like real ransomware does.

The tests are launched using a special launching technique to not have a launching chain between the Starter.exe and the test executables. Also, to reduce the dependencies between processes at runtime, there is no direct communication between processes. All result data is saved and read from files.

The simulation files are embedded into Starter.exe and extracted to Local\RSimulator\TestFolder\TestFiles when the simulations are executed for the first time. For each subsequent pass, the files in this folder will be copied to the TestFiles folder corresponding to each scenario.

To prevent any abuse, RanSim simulations can only handle files which are located under the RSimulator installation folder and there is a limit of 100 files that can be processed during a simulation.

Apart from the encryption tests, there is also a check which concerns the number of files that might be exposed on the local drives (network drives are not included in any pass that RanSim does) in case of a real ransomware attack.

The result presents the number of files found in different folders on the local machine, except a few excluded folders like Windows, Program Files, and AppData.

Only files with the following extensions are taken into account, which are common files that are taken hostage by real ransomware:

  • aes, avi, 3fr, accdb, ai, arw, bay, bmp, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mp4, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pdf, pef, pem, png, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

If you elect to copy your own test files to the Local\RSimulator\TestFolder\TestFiles folder after your first RanSim scan, subsequent runs of RanSim will test those files for vulnerability to a ransomware attack.  

Back to top

 

Frequently Asked Questions (FAQs)

Below are questions you may have regarding RanSim. If you don't see your question answered below, contact support.

A. My antivirus flagged Ranstart.exe, Starter.exe, Collector.exe or SimulatorSetup.exe as malicious. 

There is no dangerous code in those files and they should be allowed to run. You can consider them false positives, although they will not be shown in your False Positives count. 

These files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are the framework used to run the Ransomware simulation, so you can (and should!) allow them to run.

It is important to NOT turn off your antivirus at any point during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would. 

If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file.

    • If the starter (Starter.exe) or collector (Collector.exe) files are quarantined before the first scan (after opening the UI), RanSim UI will attempt to recreate them when the scan is started. If quarantined again, you will be informed that at least one of those files are missing and advised to make sure they are allowed to run on the computer.
    • If the starter (Starter.exe) or collector (Collector.exe) files are quarantined during a scan, the scan is canceled. RanSim will try to recreate those files and you will be advised to try a new scan. If the files are blocked again, RanSim will not attempt to recreate the files. Instead, you will be asked to make sure the files are allowed to run and then restart RanSim to perform a new scan.

B. My antivirus did not flag Ranstart.exe, Starter.exe, or SimulatorSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious. 

This is a good thing, and exactly what you want your antivirus to do. While the three aforementioned files (Ranstart.exe, Starter.exe, and SimulatorSetup.exe) should be allowed to run without interference from your antivirus (since they are the framework for the RanSim testing process), if the actual ransomware simulation executables are blocked or quarantined during the RanSim process, this means that if an identical attack were to happen to your users, your antivirus would behave in a similar fashion.

C. What files are placed on disk and where?

All files are placed in the installation folder, C:\Users\[[username]]\AppData\Local\RSimulator, as described in the Operational Aspects paragraph from above. The simulators do not process files outside the TestFolder folder. When RanSim is uninstalled, the installation folder is removed completely from the system.

D. What registry keys are created and where in the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?

Apart from the entries managed by the msinstaller itself, there is a custom key-- HKEY_CURRENT_USER\Software\RanSim--which is removed after RanSim is uninstalled.

E. Is there any collection of system information?

The only thing that is collected is the number of accessible files present on local disks only and having certain extensions that might be attacked by real ransomware, as described in the Operational Aspects paragraph from above. This information is presented in the pie chart after the check process is complete.

F. Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?

Yes, in the Logs directory there are a few .csv files with internal information. RanSim does not log information into the Windows Event Log.

G. During the simulation, are there any network connections created and what for?

There is one scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key. Obviously, in the vast majority of the cases this port is closed as there is no http listener attached to it, but if someone wanted to create such a listener, they could get the encryption key from the simulator. 

H. What happens if antivirus on the workstation scans the installation file? 

Some antivirus products may flag the installation file as malicious. If this happens, you should add the installation file to your antivirus's whitelist and attempt to install RanSim again. Most antivirus engines that we have tested do not report any problem. 

I. My RanSim folder is not located under the Local folder. Will this cause an issue?

Yes. RanSim can ONLY trigger the Ransomware scenarios if the installation folder is [C]:\Users\[Current User]\appdata\Local\RSimulator. The Local folder must be on the machine with which you are running RanSim.

J. Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios? 

Yes, they do behave the same, with minor differences. For example, the encryption keys and algorithms we use are different in RanSim. Beneath each Test Scenario, we've placed the name of a type of ransomware which behaves in a similar fashion. Click here to jump to the Test Scenarios description.

K. What file extension are the test scenarios?

The test scenario executables have a .axt file extension.

L. Can I add my own test files (for example, documents or photos) to test with RanSim? 

Yes, you can do this after your first RanSim check by clicking Click here to copy your own test files to the test files folder located above the Check Now button.

You will be prompted to select what files you'd like to copy to the Local\RSimulator\TestFolder\TestFiles folder. You can add up to 50 files (each file's size must be 10 MB or less).  After copying the files you'd like to copy, you can run additional RanSim scans on those files.

Make sure you copy these files as instructed rather than move them. If you uninstall RanSim in the future, all files in the TestFiles folder will be deleted. 

M. On the RanSim results screen, what does EXECUTED mean and how does it differ from VULNERABLE or NOT VULNERABLE?

Executed is a result that refers to the two false positive scenarios contained in RanSim. If the false positive scenarios can run without being stopped by your anti-virus, they "executed" successfully and the test passed. If your anti-virus stops the scenarios from running, the test failed. Vulnerable or Not Vulnerable are results that relate to the ransomware and cryptomining scenarios within RanSim.

 Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles