RanSim product manual

RanSim is a tool that simulates the behavior of ransomware. The purpose of RanSim is to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.

It is important to NOT turn off your antivirus at any point during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

To learn about this product, read the below tutorial or watch this brief RanSim video.

JUMP TO:

GETTING STARTED
SYSTEM REQUIREMENTS
TECHNICAL COMPONENTS
HOW IT WORKS
THE TEST SCENARIOS
FALSE POSITIVE SCENARIOS
OPERATIONAL ASPECTS
FREQUENTLY ASKED QUESTIONS (FAQs)

Three Steps to Getting Started

Ensure the workstation you are running RanSim on meets the system requirements, then download and install RanSim. (Note: if your anti-virus product blocks the installation or launch of the product, see here (a) and (b) for more info.) Once installed, click "Launch" to launch RanSim.

RanSim Download Screen

RanSim Installation/Launch Screen
Click "Check Now" button. After clicking, RanSim will run thirteen separate scenarios which will simulate different types and methods of ransomware. It will also run two "false positive" scenarios, both of which your antivirus should allow to run. The name and description of each scenario will be shown on the user interface.

RanSim User Interface

Active RanSim Simulation
After the simulations are completed, you'll see results showing if your system is vulnerable or not, based on each of the thirteen scenarios. You will also see if your antivirus blocked either "false positive" scenario. You'll also see a count of how many files would have been vulnerable if an actual ransomware attack had occurred.

Results Screen

If you'd like, you can perform additional checks by simply clicking the "Check Now" button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.

System Requirements

RanSim is an application meant to run on workstations running Microsoft Windows 7 OS or newer. It requires the machines to have at least two processors, at least 2 GB RAM, and 100 MB free HDD space as well as an Internet connection.

RanSim is developed on top of .NET Framework 4.0 which is a prerequisite for running the tool.

It is recommended you run RanSim on a workstation which is set up the same as your users (including the same programs and/or security software that you already have in place).

Technical Components

The Installation Package

RanSim is downloadable as an executable which triggers the install process. Part of the installation process is the automatic deployment of .NET Framework Client 4.0 (if it is not already present on the machine). If not already present, the .NET Framework component will be downloaded and installed automatically.

Once the installation is complete, the product will be installed under My Documents\RanSim folder and will start the main interface of the product.

The UI

The user interface will start by running RanSim.exe.

The Launcher

Launcher.exe prepares the test environment and launches each simulated scenario.

The Data Collector

DataCollector.exe collects results from each simulation and prepares the information to be used by the user interface.

The Tests

RanSim currently runs thirteen ransomware simulation scenarios. Each such simulation runs by an independent executable. The names of the executables are different each time they launch. These executables are located under corresponding My Documents\RanSim\TestDirectories\Scenarios\<Scenario Name> folders.

The Directory Structure

RanSim is installed under the logged-in user's My Documents folder. NOTE: "My Documents" MUST be a local folder on the machine, not a mapped network drive.

Here is the structure of this folder and subfolders:

Folder	Description
RanSim	This is the main installation folder and contains the three main executables described earlier in this document
RanSim\TestDirectory	Represents the simulated environment that is created automatically by launcher.exe
RanSim\TestDirectory\TestFiles	This is the location where the simulation files are located
RanSim\TestDirectory\Scenarios	This is the folder that contains the simulation scenarios
RanSim\TestDirectory\Scenarios\<ScenarioName>	Each scenario has a folder where its executable is located. This folder is named after the name of the scenario (e.g. My Documents\RanSim\TestDirectory\Scenarios\Replacer)
Ransim\TestDirectory\Scenarios\<ScenarioName>-TestFiles	Each scenario contains a copy of the simulation files. These copies are located under the corresponding <ScenarioName>-TestFiles folder

How it Works

When RanSim.exe (the UI) executes for the first time, it will call Launcher.exe to present the list of scenarios. After the scenario list loads, RanSim.exe will call the launcher again to start the simulations.

When the first simulation launches, Launcher.exe will automatically create the test environment (the TestDirectory folder and its contents), and for each scenario it will launch the corresponding simulation executable from the Scenarios folder. The test files and the test executables are embedded in launcher.exe.

A simulation is complete when all of the executables finish their execution (whether successfully or not). The DataCollector.exe will then collect the results for each executable and will prepare the data to be presented by the UI. Once the results are available, the UI will display the results.

For each subsequent pass, Launcher.exe will recreate the simulation environment, except for the My Documents\RanSim\TestDirectory\TestFiles which will remain the same.

Test scenarios

Replacer

This scenario simulates an attack performed by a class of ransomware which overwrites the content of files having certain extensions (e.g. docx, xlsx, pptx, pdf, png, jpg) with predefined content in the same format as the original files, and then asks users to pay a ransom to be able to restore the original content of the original files. Users who fall victim to such type of ransomware have no guarantee they will be able to get their files back because the replacement doesn’t imply the original content is also preserved (encrypted or not).

Example of this type of Ransomware behavior: DirCrypt

StrongCryptor

This scenario simulates an attack performed by most of the ransomware. For each test file, the simulator creates a new file which contains the encrypted content of the original file, then it safe deletes (overwrites the content and the deletes) the original file. Encryption is performed using AES.

Example of this type of Ransomware behavior: CryptoLocker variant without net communication.

StrongCryptorFast

This scenario simulates an attack performed by many ransomware. For each test file, the simulator creates a new file which contains the encrypted content of the original file. After all test files have been processed, they are all deleted so that only the encrypted versions remain available on the system. Encryption is performed using AES.

Example of this type of Ransomware behavior: CryptoLocker, except encryption and removal of the original content are applied separately for multiples files.

StrongCryptorNet

This scenario simulates an attack performed by many ransomware variants. For each test file, the simulator generates a new file which contains the encrypted content of the original file, then it simply deletes the original file. Encryption is performed using AES. In this scenario, the simulator also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.

Example of this type of Ransomware behavior: CryptoLocker variant with command-and-control server communication.

WeakCryptor

This scenario simulates an attack performed using a very weak type of encryption. For each test file, the simulator creates a new file which contains the encrypted content of the original file, then it deletes the original file. Encryption is simulated by compressing the original content using GZip and then replacing the first byte of the result (0x1F) with 0x00.

Example of this type of Ransomware behavior: TeleCrypt

LockyVariant

A simulator of a recent Locky variant (just the file actions, not the encryption algorithm).

Example of this type of Ransomware behavior: Locky

ThorVariant

A simulator of a recent Thor variant (just the file actions, not the encryption algorithm).

Example of this type of Ransomware behavior: Thor

Mover

A simulator of a ransomware which encrypts files and places them to a subfolder of the original folder.

Example of this type of Ransomware behavior: Alpha

InsideCryptor

A simulator of a ransomware which encrypts files and writes the encrypted data inside the original file, by replacing most of the original content starting from offset 512, so that the original 512 bytes of the file are preserved.

Example of this type of Ransomware behavior: PClock

Streamer

A simulator of a ransomware which encrypts multiple files and writes the encrypted data into a single file (the concept is similar to the concept of zipping multiple files into a single archive).

Example of this type of Ransomware behavior: Bart

CritroniVariant

A simulator of a ransomware with which encrypts files using an uncommon attack pattern.

Example of this type of Ransomware behavior: Critroni or CBT

Collaborator

A simulator of a complex ransomware which encrypts files using multiple processes. In this scenario, the main executable calls on other processes (different cmd.exe processes running different commands) to enumerate the files to encrypt, move, and delete the original files. The main scenario only performs the encryption on temporary files. The rest of the operations are handled by the other processes.

Currently, no specific example of this complex scenario exists. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.

VirlockVariant

A simulator of a very complex ransomware. Unlike the other scenarios, this one relies on a “watchdog” process which is started by the main scenario. If the main scenario is blocked, the watchdog will recreate it and restart it.

Example of this type of Ransomware behavior: Virlock

False positive scenarios

These scenarios do not emulate ransomware and should not be blocked by your antivirus. If either of these two scenarios is blocked, it will be reported as “incorrectly blocked” in your results.

Archiver

Archives the test files using gzip.

Remover

Deletes the test files.

If a false positive scenario is incorrectly blocked, it will be shown in the INCORRECTLY BLOCKED count rather than the VULNERABLE/NOT VULNERABLE count. For example, if your security software blocks all 15 scenarios, your results should look like this:

VULNERABLE 0/13
NOT VULNERABLE 13/13
INCORRECTLY BLOCKED 2/2

Ideally, your security software should only block the 13 ransomware scenarios and allow the false positives scenarios to execute without issue, your results should look like this:

VULNERABLE 0/13
NOT VULNERABLE 13/13
INCORRECTLY BLOCKED 0/2

If the false positive scenarios are blocked, your overall results will not be a reliable measure of the effectiveness of your security software. There is no fix we can provide to prevent the false positive scenarios from being blocked.

Operational Aspects

An important aspect is the fact that each time the simulation environment is recreated, the test executables use antivirus evading techniques, just like real ransomware does.

The tests are launched using a special launching technique to not have a launching chain between the Launcher.exe and the test executables. Also, to reduce the dependencies between processes at runtime, there is no direct communication between processes. All result data is saved and read from files.

The simulation files are embedded into launcher.exe and extracted to My Documents\RanSim\TestDirectory\TestFiles when the simulations are executed for the first time. For each subsequent pass, the files in this folder will be copied to the TestFiles folder corresponding to each scenario.

To prevent any abuse, RanSim simulations can only handle files which are located under the RanSim installation folder and there is a limit of 100 files that can be processed during a simulation.

Apart from the encryption tests, there is also a check which concerns the number of files that might be exposed on the local drives (network drives are not included in any pass that RanSim does) in case of a real ransomware attack.

The result presents the number of files found in different folders on the local machine, except a few excluded folders like Windows, Program Files, and AppData.

Only files with the following extensions are taken into account, which are common files that are taken hostage by real ransomware: aes, avi, 3fr, accdb, ai, arw, bay, bmp, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mp4, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pdf, pef, pem, png, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.

If you elect to copy your own test files to the My Documents\RanSim\TestDirectory\TestFiles folder after your first RanSim scan, subsequent runs of RanSim will test those files for vulnerability to a ransomware attack.

Frequently Asked Questions (FAQ)

a. My antivirus flagged RanSim.exe, Launcher.exe, DataCollector.exe or RanSimSetup.exe as malicious.

There is no dangerous code in those files and they should be allowed to run. You can consider them false positives, although they will not be shown in your False Positives count.

These files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are simply the framework used to run the Ransomware simulation, so you can (and should!) allow them to run.

If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file. If that happens, you will need to un-quarantine the file and start over.

b. My antivirus did not flag RanSim.exe, Launcher.exe, or RanSimSetup.exe. However, while RanSim was running, it DID flag one or more of the test executables as dangerous/malicious.

This is a good thing, and exactly what you want your antivirus to do. While the three aforementioned files (RanSim.exe, Launcher.exe, and RanSimSetup.exe) should be allowed to run without interference from your antivirus (since they are simply the framework for the RanSim testing process), if the actual ransomware simulation executables are blocked or quarantined during the RanSim process, this means that if an identical attack were to happen to your users, your antivirus would behave in a similar fashion.

c. What files are placed on disk and where?

All files are placed in the installation folder, My Documents\RanSim, as described in the Operational Aspects paragraph from above. The simulators do not process files outside the TestDirectories folder. When RanSim is uninstalled, the installation folder is removed completely from the system.

d. What registry keys are created and where in the Registry? Does the uninstaller fully remove them or leave a trace behind for future installs?

Apart from the entries managed by the msinstaller itself, there is a custom key-- HKEY_CURRENT_USER\Software\RanSim--which is removed after RanSim is uninstalled.

e. Is there any collection of system information?

The only thing that is collected is the number of accessible files present on local disks only and having certain extensions that might be attacked by real ransomware, as described in the Operational Aspects paragraph from above. This information is presented in the pie chart after the check process is complete.

f. Are there any Log files generated? Does this cause Windows Event Log entries? If so, what do those look like?

Yes, in the Logs directory there are a few .csv files with internal information. RanSim does not log information into the Windows Event Log.

g. During the simulation, are there any network connections created and what for?

There is one scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key. Obviously, in the vast majority of the cases this port is closed as there is no http listener attached to it, but if someone wanted to create such a listener, they could get the encryption key from the simulator.

h. What happens if antivirus on the workstation scans the file?

Most antivirus engines that we have tested do not report any problem. However, at the moment we did find that Symantec flags the installer as unknown/not recommended software.

i. My RanSim folder is not located under the local My Documents folder. Will this cause an issue?

Yes. RanSim can ONLY trigger the Ransomware scenarios if the installation folder is [C]:\Users\[Current User]\Documents\RanSim. The My Documents folder must be on the machine with which you are running RanSim.

j. Do these scenarios actually have the same behavior as real ransomware? What are some examples of ransomware which behaves the same as the scenarios?

Yes, they do behave the same, with minor differences. For example, the encryption keys and algorithms we use are different in RanSim. Beneath each Test Scenario, we've placed the name of a type of ransomware which behaves in a similar fashion. Click here to jump to the Test Scenarios description.

k. Can I add my own test files (for example, documents or photos) to test with RanSim?

Yes, you can do this after your first RanSim check by clicking "Click here to copy your own test files to the test files folder" located above the Check Now button.

You will be prompted to select what files you'd like to copy to the My Documents\RanSim\TestDirectory\TestFiles folder. You can add up to 50 files (each file's size must be 10 MB or less). After copying the files you'd like to copy, you can run additional RanSim scans on those files.

Make sure you copy these files as instructed rather than move them. If you uninstall RanSim in the future, all files in the TestFiles folder will be deleted.