RanSim Product Manual
RanSim is a tool that simulates the behavior of ransomware to check if a workstation is well-protected with endpoint security software which would be able to detect and prevent real ransomware attacks. It also allows you to see if this software is incorrectly blocking files by running "false positive" scenarios. You can optionally select specific files you'd like to test to see how they would be affected by the ransomware simulations.
Note:
We recommend that you keep your antivirus on during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.
To learn about this product, read the below tutorial or watch this brief RanSim video.
Jump to:
System Requirements
How to Install RanSim
How to Enable Controlled Folder Access
Launching RanSim
How it Works
Test Scenarios
False Positive Scenarios
Analyzing Your Results
System Requirements
To install and run RanSim, your workstation must have:
- Microsoft Windows 7 OS or newer
- At least 2 processor cores
- At least 2 GB RAM
- 100 MB free HDD space
- Internet connection
- A .NET Framework 4.5.2 is a prerequisite for running the tool. However, if you do not have this framework, one will be installed during the installation of RanSim.
- Controlled folder access. You can learn how to configure this in the How to Enable Controlled Folder Access section below.
We recommend that you run RanSim on a workstation that is set up the same as your user workstations. This includes the same programs and/or security software that you already have in place.
How to Install RanSim
- Ensure the workstation you are running RanSim on meets the system requirements, then download and install RanSim.
After downloading the RanSim zip file, launch the RanSim installer to begin the installation. To do this, see the steps below:
- Double-click the ransim.zip file in File Explorer.
- Double-click the SimulatorSetup.exe file.
- A password prompt will appear. Here, enter knowbe4. This will launch the RanSim installer.
Note:
If your anti-virus product blocks the installation or launch of the product, see our FAQ article for more information.
How to Enable Controlled Folder Access
In order to run the RIPlacer simulation, having Controlled Folder Access enabled is required. The steps below will show you how to enable Controlled Folder Access manually and through Group Policy.
To enable ransomware protection based on Controlled Folder Access manually, follow the steps below:
- Click the Windows button and type Ransomware protection to open the feature.
- Turn on the Controlled folder access option.
- Open the Protected folders link and add the folders corresponding to RIPlacer test folders.
- c:\KB4\Varsim\DataDir\MainTests\8-Files
- c:\KB4\Varsim\DataDir\MainTests\12-Files
- c:\KB4\Varsim\DataDir\MainTests\16-Files
- Go back to the Ransomware protection screen and open the Allow an app through Controlled folder access link.
- Add the following applications:
- c:\windows\system32\cmd.exe
- c:\windows\system32\notepad.exe
- c:\KB4\Varsim\MainRunner.exe
To enable Controlled folder access through GPO, follow these steps:
- On your Group Policy management machine, open the Group Policy Management Console.
- Right-click on the Group Policy Object you want to configure and click Edit.
- In the Group Policy Management Editor, go to Computer configuration.
- Click Policies then Administrative templates.
- Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
- Double-click the Configure Controlled folder access setting and click Enabled.
- Set the Guard My Folders Feature setting to Monitor.
- Configure the protected folders and allowed applications. You can find this information in steps 3 to 5 in the section above.
Launching RanSim
- Click Launch to launch RanSim or double-click the KnowBe4 Ran Simulator icon on your desktop.
- Click the Check Now button to start RanSim's simulations. After clicking, RanSim will run 23 separate infection scenarios which will simulate different types and methods of ransomware. It will also run two "false positive" scenarios, which your antivirus should allow to run.
- After the simulations are completed, a results screen will show if your system is vulnerable or not, based on each of the 23 scenarios and the two false-positive scenarios. There will also be a count of how many files would have been vulnerable if an actual ransomware attack had occurred.
If you'd like, you can perform additional checks by clicking the Check Now button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.
How it Works
When Ranstart.exe (the UI) executes for the first time, it will call MainRunner.exe to present the list of scenarios.
When the first simulation launches, MainRunner.exe will automatically create the test environment (the DataDir folder and its contents), and it will launch the corresponding simulation executable from the DataDir\MainTests folder for each scenario. For each subsequent pass, MainRunner.exe will recreate the simulation environment, except the %systemdrive%\KB4\Varsim\DataDir\TestFiles folder and contents, which will remain the same.
A simulation is complete when all of the executables finish their execution. This process should take about 7 minutes to complete. The Collector.exe will then collect the results for each executable and will prepare the data to be presented by the UI. Once the results are available, the UI will display the results.
RanSim is installed under the logged-in user's %systemdrive%\KB4 folder. Here is the structure of this folder and subfolders:
Folder |
Description |
\KB4\Varsim |
This is the main installation folder and contains the three main executables described earlier in this document |
\Varsim\DataDir |
Represents the simulated environment that is created automatically by MainRunner.exe |
\Varsim\DataDir\TestFiles |
This is the location where the simulation files are located |
\Varsim\DataDir\MainTests\ |
This is the folder that contains the simulation scenarios |
\Varsim\DataDir\MainTests\xx |
Each scenario has a folder where its executable is located. This folder is assigned a number (e.g. %systemdrive%\KB4\Varsim\DataDir\MainTests\xx) |
\Rassim\DataDir\Tests\xx-Tests |
Each scenario contains a copy of the simulation files. These copies are located under the corresponding <##-Files> folder |
The names of the executables are different each time they launch. These executables are located under corresponding %systemdrive%\KB4\Varsim\DataDir\MainTests\## folders.
Test Scenarios
BlackKingDom Variant
Simulates complex ransomware that appears to be cobbled together in Python, using code elements identical to snippets shared on legitimate development forums along with sub-optimum methods and unused or defunct lines of code.
Example: Black KingDom or GAmmAWare
Collaborator
Simulates complex ransomware that encrypts files using multiple processes. In this scenario, the main executable calls on other processes (different cmd.exe processes running different commands) to enumerate the files to encrypt, move, and delete the original files. The main scenario only performs the encryption on temporary files.
Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
CritroniVariant
Simulates ransomware which encrypts files using an uncommon attack pattern.
Example: Critoni or CBT
DearCry Variant
Encrypts files by creating copies of the attacked files and deletes the originals. The encryption is based on a public-key cryptosystem embbed in the ransomware binary, meaning it does not need to contact the attacker's command-and-control server to encrypt files.
Example: DearCry
Hollow Injector
Simulates ransomware that uses process hollowing to inject ransomware code into a legit process.
Example: Jaff or GrandCrab
Injector
Encrypts files by injecting the encryption code into a legitimate process using a common approach (DLL injection).
Example: Gandcrab
InsideCryptor
Simulates ransomware which encrypts files and writes the encrypted data inside the original file, by replacing most of the original content starting from offset 512, so that the original 512 bytes of the file are preserved.
Example: PClock
LockyVariant
Simulates a recent Locky variant (just the file actions, not the encryption algorithm).
Example: Locky
MazeVariant
Simulates file related operations performed by Maze ransomware.
Example: Maze
Mover
Simulates ransomware which encrypts files and places them to a subfolder of the original folder.
Example: Alpha
PaymerVariant
Simulates file related operations performed by DoppelPaymer-like ransomware.
Example: DoppelPaymer
Reflective Injector
Encrypts files by injecting the encryption code into a legitimate process using an advanced approach (file-less, reflective injection).
Example: Chimera or Rokku
Replacer
Simulates an attack performed by a class of ransomware which overwrites the content of files having certain extensions (e.g. docx, xlsx, pptx, pdf, png, jpg) with predefined content in the same format as the original files, and then asks users to pay a ransom to be able to restore the original content of the original files. Users who fall victim to such type of ransomware have no guarantee they will be able to get their files back because the replacement doesn’t imply the original content is also preserved (encrypted or not).
Example: DirCrypt
RigSimulator
Simulates cryptomining which mines cryptocurrency (Monero) using the CPU of the machine.
Example: XMRig
RIPlacer
Simulates ransomware which tests if machines that are protected by Microsoft Controlled Folder Access anti-ransomware technology are vulnerable to this attack.
Example: Currently, there are no specific examples of this scenario. However, anti-ransomware products should be prepared to detect and stop this type of attack pattern.
SlowCryptor
Simulates ransomware which encrypts files slowly to avoid detection. For example, files can be infected around one file every 2 seconds.
Example: FCrypt variant
Streamer
Simulates ransomware which encrypts multiple files and writes the encrypted data into a single file (the concept is similar to the concept of zipping multiple files into a single archive).
Example: Bart
StrongCryptor
Simulates an attack performed by most of the ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it safe deletes (overwrites the content and the deletes) the original file. Encryption is performed using AES.
Example: CryptoLocker variant without net communication.
StrongCryptorFast
Simulates an attack performed by many ransomware. For each test file, the simulator creates a new file that contains the encrypted content of the original file. After all test files have been processed, they are all deleted so that only the encrypted versions remain available on the system. Encryption is performed using AES.
Example: CryptoLocker, except encryption and removal of the original content, is applied separately for multiple files.
StrongCryptorNet
Simulates an attack performed by many ransomware variants. For each test file, the simulator generates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is performed using AES. In this scenario, the simulator also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.
Example: CryptoLocker variant with command-and-control server communication.
ThorVariant
Simulates a Thor variant (just the file actions, not the encryption algorithm).
Example: Thor
VirlockVariant
Simulates very complex ransomware. Unlike the other scenarios, this one relies on a “watchdog” process which is started by the main scenario. If the main scenario is blocked, the watchdog will recreate it and restart it.
Example: Virlock
WeakCryptor
Simulates an attack performed using a very weak type of encryption. For each test file, the simulator creates a new file that contains the encrypted content of the original file, then it deletes the original file. Encryption is simulated by compressing the original content using GZip and then replacing the first byte of the result (0x1F) with 0x00.
Example: TeleCrypt
False Positive Scenarios
The Archiver and Remover scenarios do not simulate ransomware and should not be blocked by your antivirus. If either of these two scenarios is blocked, it will be reported as “incorrectly blocked” in your results.
If a false positive scenario is incorrectly blocked, it will be shown in the INCORRECTLY BLOCKED count. For example, if your security software blocks all 23 scenarios, your results should look like this:
- VULNERABLE 0/23
- NOT VULNERABLE 23/23
- INCORRECTLY BLOCKED 2/2
Ideally, your results should look like this if your security software only blocks the 23 ransomware scenarios and allow the false positives scenarios to execute without issue:
- VULNERABLE 0/23
- NOT VULNERABLE 23/23
- INCORRECTLY BLOCKED 0/2
If the false positive scenarios are blocked, your results will not be a reliable measure of the effectiveness of your security software. Unfortunately, we can not provide any fix to prevent false positive scenarios from being blocked.
Analyzing Your Results
Once RanSim has finished running all of the test scenarios, you can download a CSV file of the information you found in step 3 of the Launching RanSim section of this article. This CSV can be used to compare how your files hold up against the various ransomware attacks. You can find the download link in the top right corner of the Results page.These results can be used to secure any documents and files that failed any of these simulated tests. Implementing security awareness training to prepare your users on what they can do to identify a phishing attack will reduce the risk of your organization falling victim to a ransomware attack.
Comments
0 comments
Article is closed for comments.