RanSim Product Manual

RanSim is a tool that simulates the behavior of ransomware to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.

Note:

We recommend that you keep your antivirus on during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

To learn about this product, read the below tutorial or watch this brief RanSim video.

Jump to:
System Requirements
How to Install RanSim
How to Enable Controlled Folder Access
Launching RanSim
How it Works
Test Scenarios
False Positive Scenarios
Analyzing Your Results

System Requirements

To install and run RanSim, your workstation must have:

Microsoft Windows 7 OS or newer
At least 2 processors
At least 2 GB RAM
100 MB free HDD space
Internet connection
A .NET Framework 4.0 is a prerequisite for running the tool. However, if you do not have this framework, one will be installed during the installation of RanSim.
Controlled folder access. You can find how to set this up here.

We recommend that you run RanSim on a workstation which is set up the same as your user workstations. This includes the same programs and/or security software that you already have in place.

How to Install RanSim

Ensure the workstation you are running RanSim on meets the system requirements, then download and install RanSim.

After downloading the RanSim zip file, launch the RanSim installer to begin the installation. To do this, see the steps below:

Double-click the ransim.zip file in File Explorer.
Double-click the SimulatorSetup.exe file.
A password prompt will appear. Here, enter knowbe4. This will launch the RanSim installer.

Note:

If your anti-virus product blocks the installation or launch of the product, see our FAQ article for more information.

How to Enable Controlled Folder Access

In order to run the RIPlacer simulation, having Controlled Folder Access enabled is required. The steps below will show you how to enable Controlled Folder Access manually and through Group Policy.

To enable ransomware protection based on Controlled Folder Access manually, follow the steps below:

Click the Windows button and type Ransomware protection to open the feature.
Turn on the Controlled folder access option.
Open the Protected folders link and add the folders corresponding to RIPlacer test folders.
- c:\KB4\Rassim\DataDir\Tests\8-Tests
- c:\KB4\Rassim\DataDir\Tests\12-Tests
- c:\KB4\Rassim\DataDir\Tests\16-Tests
Go back to the Ransomware protection screen and open the Allowed an app through Controlled folder access link.
Add the following applications:
- c:\windows\system32\cmd.exe
- c:\windows\system32\notepad.exe
- c:\KB4\Rassim\MainLauncher.exe

To enable Controlled folder access through GPO, follow these steps:

On your Group Policy management machine, open the Group Policy Management Console.
Right-click on the Group Policy Object you want to configure and click Edit.
In the Group Policy Management Editor, go to Computer configuration.
Click Policies then Administrative templates.
Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
Double-click the Configure Controlled folder access setting and click Enabled.
Configure the protected folders and allowed applications. You can find this information in steps 3 to 5 in the section above.

Launching RanSim

Click Launch to launch RanSim or double-click the KnowBe4 Ransomware Simulator icon on your desktop.

Click the Check Now button to start RanSim's simulations. After clicking, RanSim will run 21 separate infection scenarios which will simulate different types and methods of ransomware. It will also run two "false positive" scenarios, which your antivirus should allow to run.
After the simulations are completed, a results screen will show if your system is vulnerable or not, based on each of the 21 scenarios and the two false-positive scenarios. There will also be a count of how many files would have been vulnerable if an actual ransomware attack had occurred.

If you'd like, you can perform additional checks by clicking the Check Now button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.

How it Works

When Ranstart.exe (the UI) executes for the first time, it will call MainLauncher.exe to present the list of scenarios. After the scenario list loads, Ranstart.exe will call the starter again to start the simulations.

When the first simulation launches, MainLauncher.exe will automatically create the test environment (the Tests folder and its contents), and it will launch the corresponding simulation executable from the Tests folder for each scenario. For each subsequent pass, MainLauncher.exe will recreate the simulation environment, except the %systemdrive%\KB4\Rassim\DataDir\TestFiles folder and contents, which will remain the same.

A simulation is complete when all of the executables finish their execution (whether successfully or not). The Collector.exe will then collect the results for each executable and will prepare the data to be presented by the UI. Once the results are available, the UI will display the results.

RanSim is installed under the logged-in user's %systemdrive%\KB4 folder. Here is the structure of this folder and subfolders:

Folder	Description
\KB4\Rassim	This is the main installation folder and contains the three main executables described earlier in this document
\Rassim\DataDir	Represents the simulated environment that is created automatically by MainLauncher.exe
\Rassim\DataDir\TestFiles	This is the location where the simulation files are located
\Rassim\DataDir\Tests	This is the folder that contains the simulation scenarios
\Rassim\DataDir\Tests\xx	Each scenario has a folder where its executable is located. This folder is assigned a number (e.g. %systemdrive%\KB4\Rassim\DataDir\Tests\xx)
\Rassim\DataDir\Tests\xx-Tests	Each scenario contains a copy of the simulation files. These copies are located under the corresponding <##-Tests> folder

The names of the executables are different each time they launch. These executables are located under corresponding %systemdrive%\KB4\Rassim\DataDir\Tests\## folders.

Collaborator

Simulates complex ransomware that encrypts files using multiple processes. In this scenario, the main executable calls on other processes (different cmd.exe processes running different commands) to enumerate the files to encrypt, move, and delete the original files. The main scenario only performs the encryption on temporary files.

Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
CritroniVariant

Simulates ransomware which encrypts files using an uncommon attack pattern.

Example: Critoni or CBT
Injector

Encrypts files by injecting the encryption code into a legitimate process using a common approach (DLL injection).

Example: Gandcrab
InsideCryptor

Simulates ransomware which encrypts files and writes the encrypted data inside the original file, by replacing most of the original content starting from offset 512, so that the original 512 bytes of the file are preserved.

Example: PClock
Hollow Injector

Simulates ransomware that uses process hollowing to inject ransomware code into a legit process.

Example: Jaff or GrandCrab
LockyVariant

Simulates a recent Locky variant (just the file actions, not the encryption algorithm).

Example: Locky
MazeVariant

Simulates file related operations performed by Maze ransomware.

Example: Maze
Mover

Simulates ransomware which encrypts files and places them to a subfolder of the original folder.

Example: Alpha

PaymerVariant

Simulates file related operations performed by DoppelPaymer-like ransomware.

Example: DoppelPaymer
Reflective Injector

Encrypts files by injecting the encryption code into a legitimate process using an advanced approach (file-less, reflective injection).

Example: Chimera or Rokku
Replacer

Simulates an attack performed by a class of ransomware which overwrites the content of files having certain extensions (e.g. docx, xlsx, pptx, pdf, png, jpg) with predefined content in the same format as the original files, and then asks users to pay a ransom to be able to restore the original content of the original files. Users who fall victim to such type of ransomware have no guarantee they will be able to get their files back because the replacement doesn’t imply the original content is also preserved (encrypted or not).

Example: DirCrypt
RigSimulator

Simulates cryptomining which mines cryptocurrency (Monero) using the CPU of the machine.

Example: XMRig
RIPlacer

Simulates ransomware which tests if machines that are protected by Microsoft Controlled Folder Access anti-ransomware technology are vulnerable to this attack.

Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
SlowCryptor

Simulates ransomware which encrypts files slowly to avoid detection. For example, files can be infected around one file every 2 seconds.
Example: FCrypt variant
Streamer

Simulates ransomware which encrypts multiple files and writes the encrypted data into a single file (the concept is similar to the concept of zipping multiple files into a single archive).

Example: Bart
StrongCryptor

Simulates an attack performed by most of the ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it safe deletes (overwrites the content and the deletes) the original file. Encryption is performed using AES.

Example: CryptoLocker variant without net communication.
StrongCryptorFast

Simulates an attack performed by many ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file. After all test files have been processed, they are all deleted so that only the encrypted versions remain available on the system. Encryption is performed using AES.

Example: CryptoLocker, except encryption and removal of the original content, is applied separately for multiple files.
StrongCryptorNet

Simulates an attack performed by many ransomware variants. For each test file, the simulator generates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is performed using AES. In this scenario, the simulator also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.

Example: CryptoLocker variant with command-and-control server communication.

ThorVariant

Simulates a Thor variant (just the file actions, not the encryption algorithm).

Example: Thor
VirlockVariant

Simulates very complex ransomware. Unlike the other scenarios, this one relies on a “watchdog” process which is started by the main scenario. If the main scenario is blocked, the watchdog will recreate it and restart it.

Example: Virlock
WeakCryptor

Simulates an attack performed using a very weak type of encryption. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is simulated by compressing the original content using GZip and then replacing the first byte of the result (0x1F) with 0x00.

Example: TeleCrypt

False Positive Scenarios

The Archiver and Remover scenarios do not simulate ransomware and should not be blocked by your antivirus. If either of these two scenarios is blocked, it will be reported as “incorrectly blocked” in your results.

If a false positive scenario is incorrectly blocked, it will be shown in the INCORRECTLY BLOCKED count. For example, if your security software blocks all 21 scenarios, your results should look like this:

VULNERABLE 0/21
NOT VULNERABLE 21/21
INCORRECTLY BLOCKED 2/2

Ideally, your results should look like this if your security software only blocks the 21 ransomware scenarios and allow the false positives scenarios to execute without issue:

VULNERABLE 0/21
NOT VULNERABLE 21/21
INCORRECTLY BLOCKED 0/2

If the false positive scenarios are blocked, your results will not be a reliable measure of the effectiveness of your security software. Unfortunately, we can not provide any fix to prevent false positive scenarios from being blocked.

Analyzing Your Results

Once RanSim has finished running all of the test scenarios, you can download a CSV file of the information you found in step 3 of the Launching RanSim section of this article. This CSV can be used to compare how your files hold up against the various ransomware attacks. You can find the download link in the top right corner of the Results page.
These results can be used to secure any documents and files that failed any of these simulated tests. Implementing security awareness training to prepare your users on what they can do to identify a phishing attack will reduce the risk of your organization falling victim to a ransomware attack.

RanSim Product Manual

Note:

System Requirements

How to Install RanSim

Note:

How to Enable Controlled Folder Access

Launching RanSim

How it Works

Test Scenarios

False Positive Scenarios

Analyzing Your Results

Related articles