Menu

RanSim

Avatar
Orlandria Heggs
Updated
Follow

RanSim Product Manual

RanSim is a tool that simulates the behavior of ransomware to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.

Note:

We recommend that you keep your antivirus on during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

To learn about this product, read the below tutorial or watch this brief RanSim video.

Jump to:
System Requirements
 How to Install RanSim
 How to Enable Controlled Folder Access
 Launching RanSim
 How it Works
 Test Scenarios
 False Positive Scenarios
 Analyzing Your Results

 

System Requirements

To install and run RanSim, your workstation must have:

  • Microsoft Windows 7 OS or newer
  • At least 2 processors
  • At least 2 GB RAM
  • 100 MB free HDD space
  • Internet connection
  • A .NET Framework 4.0 is a prerequisite for running the tool. However, if you do not have this framework, one will be installed during the installation of RanSim.
  • Controlled folder access. You can find how to set this up here.

We recommend that you run RanSim on a workstation which is set up the same as your user workstations (including the same programs and/or security software that you already have in place).

Back to top

 

How to Install RanSim

  1. Ensure the workstation you are running RanSim on meets the system requirements, then download and install RanSim.

After downloading the RanSim zip file, launch the RanSim installer to begin the installation. To do this, see the steps below:

  1. Double-click the ransim.zip file in File Explorer.
  2. Double-click the SimulatorSetup.exe file.
  3. A password prompt will appear. Here, enter knowbe4. This will launch the RanSim installer.

Note:

If your anti-virus product blocks the installation or launch of the product, see our FAQ article for more information.

Back to top

 

How to Enable Controlled Folder Access

In order to run the RIPlacer simulation, having Controlled Folder Access enabled is required. The steps below will show you how to enable Controlled Folder Access manually and through Group Policy. 

To enable ransomware protection based on Controlled Folder Access manually, follow the steps below:

  1. Click the Windows button and type Ransomware protection to open the feature.
  2. Turn on the Controlled folder access option.
  3. Open the Protected folders link and add the folders corresponding to RIPlacer test folders.
    • c:\KB4\Rassim\DataDir\tests\8-Tests
    • c:\KB4\Rassim\DataDir\Tests\12-Tests
    • c:\KB4\Rassim\DataDir\Tests\16-Tests
  4. Go back to the Ransomware protection screen and open the Allowed an app through Controlled folder access link.
  5. Add the following applications:
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\notepad.exe
    • c:\KB4\Rassim\start.exe

To enable Controlled folder access through GPO, follow these steps:

  1. On your Group Policy management machine, open the Group Policy Management Console.
  2. Right-click on the Group Policy Object you want to configure and click Edit.
  3. In the Group Policy Management Editor, go to Computer configuration.
  4. Click Policies then Administrative templates.
  5. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Conder folder access.
  6. Double-click the Configure Controlled folder access setting and click Enabled.
  7. Configure the protected folders and allowed applications. You can find this information in steps 3 to 5 in the section above.

Back to top

 

Launching RanSim

  1. Click Launch to launch RanSim or double-click the KnowBe4 Ransomware Simulator icon on your desktop.

     

  1. Click the Check Now button to start RanSim's simulations. After clicking, RanSim will run 21 separate infection scenarios which will simulate different types and methods of ransomware. It will also run two "false positive" scenarios, which your antivirus should allow to run.

  2. After the simulations are completed, a results screen will show if your system is vulnerable or not, based on each of the 21 scenarios and the two false-positive scenarios. There will also be a count of how many files would have been vulnerable if an actual ransomware attack had occurred.


If you'd like, you can perform additional checks by clicking the Check Now button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.

Back to top

 

How it Works

When MainLauncher.exe (the UI) executes for the first time, it will call Starter.exe to present the list of scenarios. After the scenario list loads, Ranstart.exe will call the starter again to start the simulations.

When the first simulation launches, Starter.exe will automatically create the test environment (the TestFolder folder and its contents), and it will launch the corresponding simulation executable from the Tests folder for each scenario. For each subsequent pass, Starter.exe will recreate the simulation environment, except the Local\Rassim\TestFolder\TestFiles which will remain the same.

A simulation is complete when all of the executables finish their execution (whether successfully or not). The Collector.exe will then collect the results for each executable and will prepare the data to be presented by the UI. Once the results are available, the UI will display the results.

RanSim is installed under the logged-in user's Local folder. Here is the structure of this folder and subfolders:

Folder

Description

Rassim

This is the main installation folder and contains the three main executables described earlier in this document

Rassim\TestFolder

Represents the simulated environment that is created automatically by Starter.exe

Rassim\TestFolder\TestFiles

This is the location where the simulation files are located

Rassim\TestFolder\Tests

This is the folder that contains the simulation scenarios

Rassim\TestFolder\Tests\xx-Tests

Each scenario has a folder where its executable is located. This folder is assigned a number (e.g. Local\Rassim\TestFolder\Tests\<xx-Tests>)

Rassim\TestFolder\TestFiles\xx-Tests

Each scenario contains a copy of the simulation files. These copies are located under the corresponding <xx-Tests> folder

The names of the executables are different each time they launch. These executables are located under corresponding Local\Rassim\TestFolder\Tests\<xx-Tests> folders.

Back to top

 

Test Scenarios


  • Collaborator

    Simulates complex ransomware that encrypts files using multiple processes. In this scenario, the main executable calls on other processes (different cmd.exe processes running different commands) to enumerate the files to encrypt, move, and delete the original files. The main scenario only performs the encryption on temporary files.

    Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
    CritroniVariant

    Simulates ransomware which encrypts files using an uncommon attack pattern.

    Example: Critoni or CBT
    Injector

    Encrypts files by injecting the encryption code into a legitimate process using a common approach (DLL injection).

    Example: Gandcrab
    InsideCryptor

    Simulates ransomware which encrypts files and writes the encrypted data inside the original file, by replacing most of the original content starting from offset 512, so that the original 512 bytes of the file are preserved.

    Example: PClock
    Hollow Injector

    Simulates ransomware that uses process hollowing to inject ransomware code into a legit process.

    Example: Jaff or GrandCrab
    LockyVariant

    Simulates a recent Locky variant (just the file actions, not the encryption algorithm).

    Example: Locky
    MazeVariant

    Simulates the file related activity performed by Maze ransomware.

    Example: Maze
    Mover

    Simulates ransomware which encrypts files and places them to a subfolder of the original folder.

    Example: Alpha

  • PaymerVariant

    Simulates the file related activity performed by DoppelPaymer ransomware.

    Example: DoppelPaymer
    Reflective Injector

    Encrypts files by injecting the encryption code into a legitimate process using an advanced approach (file-less, reflective injection).

    Example: Chimera or Rokku
    Replacer

    Simulates an attack performed by a class of ransomware which overwrites the content of files having certain extensions (e.g. docx, xlsx, pptx, pdf, png, jpg) with predefined content in the same format as the original files, and then asks users to pay a ransom to be able to restore the original content of the original files. Users who fall victim to such type of ransomware have no guarantee they will be able to get their files back because the replacement doesn’t imply the original content is also preserved (encrypted or not).

    Example: DirCrypt
    RigSimulator

    Simulates cryptomining which mines cryptocurrency (Monero) using the CPU of the machine.

    Example: XMRig
    RIPlacer

    Simulates ransomware which tests if machines that are protected by Microsoft Controlled Folder Access anti-ransomware technology are vulnerable to this attack.

    Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
    SlowCryptor

    Simulates ransomware which encrypts files slowly to avoid detection. For example, files can be infected around one file every 2 seconds.

  • Example: FCrypt variant
    Streamer

    Simulates ransomware which encrypts multiple files and writes the encrypted data into a single file (the concept is similar to the concept of zipping multiple files into a single archive).

    Example: Bart
    StrongCryptor

    Simulates an attack performed by most of the ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it safe deletes (overwrites the content and the deletes) the original file. Encryption is performed using AES.

    Example: CryptoLocker variant without net communication.
    StrongCryptorFast

    Simulates an attack performed by many ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file. After all test files have been processed, they are all deleted so that only the encrypted versions remain available on the system. Encryption is performed using AES.

    Example: CryptoLocker, except encryption and removal of the original content, is applied separately for multiple files.
    StrongCryptorNet

    Simulates an attack performed by many ransomware variants. For each test file, the simulator generates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is performed using AES. In this scenario, the simulator also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.

    Example: CryptoLocker variant with command-and-control server communication.

  • ThorVariant

    Simulates a Thor variant (just the file actions, not the encryption algorithm).

    Example: Thor
    VirlockVariant

    Simulates very complex ransomware. Unlike the other scenarios, this one relies on a “watchdog” process which is started by the main scenario. If the main scenario is blocked, the watchdog will recreate it and restart it.

    Example: Virlock
    WeakCryptor

    Simulates an attack performed using a very weak type of encryption. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is simulated by compressing the original content using GZip and then replacing the first byte of the result (0x1F) with 0x00.

    Example: TeleCrypt

 

Back to top

 

False Positive Scenarios

The Archiver and Remover scenarios do not simulate ransomware and should not be blocked by your antivirus. If either of these two scenarios is blocked, it will be reported as “incorrectly blocked” in your results.

If a false positive scenario is incorrectly blocked, it will be shown in the INCORRECTLY BLOCKED count. For example, if your security software blocks all 18 scenarios, your results should look like this:

    • VULNERABLE 0/18
    • NOT VULNERABLE 18/18
    • INCORRECTLY BLOCKED 2/2

Ideally, your results should look like this if your security software only blocks the 16 ransomware scenarios and allow the false positives scenarios to execute without issue:

    • VULNERABLE 0/18
    • NOT VULNERABLE 18/18
    • INCORRECTLY BLOCKED 0/2

If the false positive scenarios are blocked, your results will not be a reliable measure of the effectiveness of your security software. Unfortunately, we can not provide any fix to prevent false positive scenarios from being blocked.

Back to top

 

Analyzing Your Results

Once RanSim has finished running all of the test scenarios, you can download a CSV file of the information you can found in step 3 of the Launching RanSim section of this article. This CSV can be used to compare how your files hold up against the various ransomware attacks. You can find the download link in the top right corner of the Results page.

These results can be used to secure any documents and files that failed any of these simulated tests. Implementing security awareness training to prepare your users on what they can do to identify a phishing attack will reduce the risk of your organization falling victim to a ransomware attack.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles