RanSim Product Manual
RanSim is a tool that simulates ransomware attacks to see how your endpoint protection software might respond in the event of a real ransomware attack. You can use RanSim to see if your endpoint protection software would block ransomware or if it would create false positives. You can also use RanSim to see how specific files would be impacted by ransomware.
Click the links below to learn how to install RanSim, launch RanSim, and view your results. If you prefer video tutorials, you can also watch our RanSim video.
Jump to:
Enabling Controlled Folder Access
Prerequisites
To install and launch RanSim, you will need to meet the requirements listed below:
- Your computer must use Microsoft Windows 7 or newer.
- Your computer must have at least 2 processor cores, 2 GB of RAM, and 100 MB free HDD space.
- Your computer must be able to connect to the internet.
- Your computer must use a .NET Framework 4.5.2 to launch the tool.
Note: However, if your computer does not use this framework, the framework will be installed automatically when you install RanSim.
- To run our RIPlacer ransomware scenario, you must enable controlled folder access. For more information, see the Enabling Controlled Folder Access section of this article.
Installing RanSim
Once you’ve verified that your computer meets the prerequisites in the Prerequisites section above, you are ready to install RanSim.
To install RanSim, follow the steps below:
- Navigate to knowbe4.com/ransomware-simulator in your browser.
- Fill out the fields in the I want my RanSim download form.
- Click Get RanSim!.
- Click the Click Here To Download RanSim link. When you click this link, the ransim.zip file will download to your computer.
- Double-click the ransim.zip file in your file manager.
- Then, double-click the SimulatorSetup.exe file. When you double-click this file, you will be prompted to enter a password.
- Enter "knowbe4" in the field to begin installing RanSim on your computer.
Once RanSim has finished installing, an “Installation Successfully Completed” message will display in the KnowBe4 RanSim Setup window. To learn how to launch RanSim, see the Launching RanSim section below.
Enabling Controlled Folder Access
To run the RIPlacer ransomware scenario, Microsoft controlled folder access must be enabled on your computer.
To learn how to enable controlled folder access manually or through Group Policy, click the links below:
Enable Controlled Folder Access Manually
To enable controlled folder access manually, follow the steps below:
- Click the Windows button and enter "Ransomware protection" into the search bar.
- Turn on the Controlled folder access option.
- Add the following folder paths to the Protected Folders section:
- c:\KB4\Varsim\DataDir\MainTests\8-Files
- c:\KB4\Varsim\DataDir\MainTests\12-Files
- c:\KB4\Varsim\DataDir\MainTests\16-Files
- Navigate back to the Ransomware protection screen and click the Allow an app through Controlled folder access link.
- Add the following applications to the allow list:
- c:\windows\system32\cmd.exe
- c:\windows\system32\notepad.exe
- c:\KB4\Varsim\MainRunner.exe
Enable Controlled Folder Access Through Group Policy
To enable controlled folder access through Group Policy, follow the steps below:
- Open your Group Policy Management Console.
- Right-click on the Group Policy Object you want to configure and click Edit.
- In the Group Policy Management Editor, go to Computer configuration.
- Click Policies, then click Administrative templates.
- Expand the directory tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
- Double-click the Configure Controlled folder access setting, then click Enabled.
- Set the Guard My Folders Feature setting to Monitor.
- Configure the protected folders and allowed applications. You can find this information in steps 3, 4, and 5 in the Enable Controlled Folder Access Manually subsection above.
Launching RanSim
To launch RanSim, follow the steps below:
- In the KnowBe4 RanSim Setup window, click Launch. Or, double-click the KnowBe4 Ran Simulator icon on your computer.
- In the Welcome to KnowBe4 Ransim window, click the Check now button. When you click this button, RanSim will start running the ransomware simulations on your computer, including 23 ransomware scenarios and two false positive scenarios. To learn more about these ransomware scenarios and false positive scenarios, see the Ransomware Scenarios and False Positive Scenarios sections below.
You can view the scenarios’ progress in the KnowBe4 Ransim window.
Once RanSim has run all the scenarios, your results will display. You can view the results for each scenario, including Vulnerable scenarios, Not Vulnerable scenarios, and Incorrectly Blocked scenarios. For more information about viewing and analyzing your results, see the Analyzing Your RanSim Results section below.
Ransomware Scenarios
When launched, RanSim will run 23 ransomware scenarios on your computer. To learn more about each scenario, see the table below:
BlackKingdomVariant
This scenario simulates ransomware that appears to be written in Python. This type of ransomware uses code elements that are identical to code shared on development forums. This type of ransomware also uses unused or defunct code.
Example: Black Kingdom or GAmmAWare
Collaborator
This scenario simulates ransomware that uses multiple processes to encrypt files. In this scenario, executable code calls on other processes to enumerate the test files. Then, the original files are encrypted, moved, and deleted.
Example: Currently, there aren’t any examples of this scenario. However, your endpoint protection software should be prepared to detect and stop this type of attack.
CritroniVariant
This scenario simulates ransomware that encrypts files using an uncommon attack pattern.
Example: Critroni or CBT
DearCryVariant
This scenario simulates ransomware that encrypts files by copying the files then deleting the original files. The encryption method used in this scenario does not need to contact the attacker's command-and-control server to encrypt files.
Example: DearCry
HollowInjector
This scenario simulates ransomware that uses process hollowing to inject malicious code into a legitimate process.
Example: Jaff or GandCrab
Injector
This scenario simulates ransomware that encrypts files by injecting malicious code into a legitimate process. This type of ransomware injects code by using a common method, such as dynamic link library (DLL) injection.
Example: GandCrab
InsideCryptor
This scenario simulates ransomware that encrypts files and adds the encrypted data to the original file.
Example: PClock
LockyVariant
This scenario simulates a variant of Locky ransomware. This scenario only simulates the method Locky uses to infect files, not its encryption algorithm.
Example: Locky
MazeVariant
This scenario simulates methods used by Maze ransomware.
Example: Maze
Mover
This scenario simulates ransomware that encrypts files and moves the files to a subfolder of the original folder.
Example: Alpha
PaymerVariant
This scenario simulates methods used by ransomware such as DoppelPaymer.
Example: DoppelPaymer
ReflectiveInjector
This scenario simulates ransomware that uses an advanced method to inject encryption code into a legitimate process.
Example: Chimera or Rokku
Replacer
This scenario simulates an attack performed by ransomware that overwrites the content of files that have specific extensions, such as .docx or .pdf. The content is overwritten with content in the same format as the original file. Once the content is overwritten, users are asked to pay a ransom to restore the content in the original files.
Example: DirCrypt
RigSimulator
This scenario simulates cryptomining, which mines cryptocurrency by using a computer's CPU.
Example: XMRig
RIPlacer
This scenario tests if machines that are protected by Microsoft controlled folder access are vulnerable to attacks.
Example: Currently, there aren’t any examples of this scenario. However, your endpoint protection software should be prepared to detect and stop this type of attack.
SlowCryptor
This scenario simulates ransomware that encrypts files slowly to avoid detection.
Example: FCrypt variant
Streamer
This scenario simulates ransomware that encrypts multiple files and moves the encrypted data into a single file.
Example: Bart
StrongCryptor
This scenario simulates an attack performed by most types of ransomware. For each test file, RanSim creates a new file that contains the encrypted content in the test file. Then, RanSim overwrites the content from the original test file and deletes that file.
-
Encryption is performed using AES.
Example: CryptoLocker variant without net communication
StrongCryptorFast - This scenario simulates an attack performed by many types of ransomware. For each test file, RanSim creates a new file that contains the encrypted content of the original test file. Then, RanSim deletes all the original test files so that only the encrypted versions of the test files remain.
- Encryption is performed using AES.
Example: CryptoLocker
StrongCryptorNet -
This scenario simulates an attack performed by many types of ransomware. For each test file, RanSim creates a new test file that contains the encrypted content of the original test file. Then, RanSim deletes the original test file.
Encryption is performed using AES. In this scenario, RanSim also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.
Example: CryptoLocker variant with command-and-control server communication
ThorVariant
This scenario simulates a variant of Thor ransomware. This scenario only simulates the methods Thor uses to infect files, not its encryption algorithm.
Example: Thor
VirlockVariant
This scenario simulates complex ransomware. This scenario relies on a “watchdog” process that waits for another scenario to be started first. Then, if the other scenario is blocked, this scenario will recreate the other scenario and restart it.
Example: Virlock
WeakCryptor
This scenario simulates an attack performed using a weak type of encryption. For each test file, RanSim creates a new test file that contains the encrypted content of the test original file. Then, RanSim deletes the original test file.
In this scenario, encryption is simulated by compressing the original file content by using GZip. Then, the first byte of the result, 0x1F, is replaced with with 0x00.
Example: TeleCrypt
False Positive Scenarios
In addition to 23 ransomware scenarios, RanSim will also run two false positive scenarios on your computer. False positives are files or programs that are incorrectly labeled as malicious and blocked by your endpoint protection software.
RanSim’s two false positive scenarios are called the Archiver and the Remover. If either of these scenarios are blocked by your endpoint protection software, your Incorrectly Blocked results in RanSim will increase. For more information about viewing results, see the Analyzing Your RanSim Results section below.
If the false positive scenarios are blocked, your RanSim results may not be an accurate measure of your endpoint protection software’s effectiveness.
Analyzing Your RanSim Results
Once RanSim has finished running all of the ransomware and false positive scenarios, you can view your results in the KnowBe4 RanSim window.
In the Vulnerable, Not Vulnerable, and Incorrectly Blocked boxes at the top-left corner of the window, you can view the number of scenarios in each status. Ideally, your results will display as 0/23 Vulnerable scenarios, 23/23 Not Vulnerable scenarios, and 0/2 Incorrectly Blocked scenarios.
In the KnowBe4 RanSim window, you can also view a circle graph and table with more information about your results. The circle graph displays information about the type of vulnerable files found, such as documents or pictures. The table displays information about each scenario, including the scenario’s name and status, a description of the scenario, and the file path for the encrypted test files.You can also click the Export to CSV link at the top-right corner of the Scenarios section to download a CSV file. This CSV file contains information about your RanSim results.
Comments
0 comments
Article is closed for comments.