RanSim

RanSim Product Manual

Ransomware Simulator (RanSim) is a tool that simulates ransomware attacks to see how your endpoint protection software might respond in the event of a real ransomware attack. You can use RanSim to see if your endpoint protection software would block ransomware or if it would create false positives. You can also use RanSim to see how specific files would be impacted by ransomware.

If you prefer video tutorials, you can also watch our RanSim video.

Important:For accurate results, your antivirus software must be configured and operating as normal when you use RanSim.

Prerequisites

To install and launch RanSim, you will need to meet the requirements listed below:

  • Your computer must use 64-bit Microsoft Windows 10 or newer.
  • Your computer must have at least 2 processor cores, 2 GB of RAM, and 100 MB free HDD space.
  • Your computer must be able to connect to the internet.
  • Your computer must use a .NET Framework 4.5.2 to launch the tool.
    Important:However, if your computer does not use this framework, the framework will be installed automatically when you install RanSim.
  • To run our RIPlacer ransomware scenario, you must enable controlled folder access. For more information, see the Enabling Controlled Folder Access section of this article.
Important:For accurate results, we recommend that you install RanSim on a computer that uses the same programs and security software as your users’ computers.

Installing RanSim

Once you’ve verified that your computer meets the prerequisites in the Prerequisites section above, you are ready to install RanSim.

To install RanSim, follow the steps below:

  1. Navigate to knowbe4.com/ransomware-simulator in your browser.
  2. Fill out the fields in the I want my RanSim download form.
  3. Click Get RanSim!.
  4. Click the Click Here To Download RanSim link. When you click this link, the ransim.zip file will download to your computer.
  5. Double-click the ransim.zip file in your file manager.
  6. Then, double-click the SimulatorSetup.exe file. When you double-click this file, you will be prompted to enter a password.
  7. Enter "knowbe4" in the field to begin installing RanSim on your computer.

Once RanSim has finished installing, an “Installation Successfully Completed” message will display in the KnowBe4 RanSim Setup window. To learn how to launch RanSim, see the Launching RanSim section below.

Important: For RanSim to install successfully, the SimulatorSetup.exe, Ranstart.exe, MainStarter.exe, and Collector.exe files must be able to run. If your antivirus or antimalware product is blocking these files, you'll need to configure the product to allow them. This process will vary depending on the antivirus or antimalware product you are using. If any of these files are quarantined and you did not see a warning prompt to allow the file to run, you will need to restore the file from quarantine and repeat the steps above. For more information, see the Antivirus Software section of our RanSim Frequently Asked Questions (FAQs) article.

Enabling Controlled Folder Access

To run the RIPlacer ransomware scenario, Microsoft controlled folder access must be enabled on your computer.

To learn how to enable controlled folder access manually or through Group Policy, click the links below:

Enable Controlled Folder Access Manually

To enable controlled folder access manually, follow the steps below:

  1. Click the Windows button and enter "Ransomware protection" into the search bar.
  2. Turn on the Controlled folder access option.
  3. Add the following folder paths to the Protected Folders section:
    • c:\KB4\Newsim\DataDir\MainTests\8-Files
    • c:\KB4\Newsim\DataDir\MainTests\12-Files
    • c:\KB4\Newsim\DataDir\MainTests\16-Files
  4. Navigate back to the Ransomware protection screen and click the Allow an app through Controlled folder access link.
  5. Add the following applications to the allow list:
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\notepad.exe
    • c:\KB4\Newsim\MainStarter.exe

Enable Controlled Folder Access Through Group Policy

To enable controlled folder access through Group Policy, follow the steps below:

  1. Open your Group Policy Management Console.
  2. Right-click on the Group Policy Object you want to configure and click Edit.
  3. In the Group Policy Management Editor, go to Computer configuration.
  4. Click Policies, then click Administrative templates.
  5. Expand the directory tree to Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.
  6. Double-click the Configure Controlled folder access setting, then click Enabled.
  7. Set the Guard My Folders Feature setting to Monitor.
  8. Configure the protected folders and allowed applications. You can find this information in steps 3, 4, and 5 in the Enable Controlled Folder Access Manually subsection above.

Launching RanSim

To launch RanSim, follow the steps below:

  1. In the KnowBe4 RanSim Setup window, click Launch. Or, double-click the KnowBe4 Ran Simulator icon on your computer.
  2. In the Welcome to KnowBe4 Ransim window, click the Check now button. When you click this button, RanSim will start running the ransomware simulations on your computer, including 23 ransomware scenarios and two false positive scenarios. To learn more about these ransomware scenarios and false positive scenarios, see the Ransomware Scenarios and False Positive Scenarios sections below.

You can view the scenarios’ progress in the KnowBe4 Ransim window.

Once RanSim has run all the scenarios, your results will display. You can view the results for each scenario, including Vulnerable scenarios, Not Vulnerable scenarios, and Incorrectly Blocked scenarios. For more information about viewing and analyzing your results, see the Analyzing Your RanSim Results section below.

Tip:You can click the Check now button again to run additional scenarios. After running your first scenarios, you also have the option to add your own test files to the test files folder. Then, RanSim will run tests to see if these files would be vulnerable to ransomware attacks.

Language Options

By default, the RanSim display language will be set to English (United States). However, you can also select Spanish (Spain) or French (France).

To change your language settings, click the current language link at the bottom-right corner of the client. When you click, the Display Language modal will open and you can select a language from the drop-down menu.

Ransomware Scenarios

When launched, RanSim will run 23 ransomware scenarios on your computer. To learn more about each scenario, see the table below:

Note:To learn more about the two false positive scenarios that RanSim will run on your computer, see the False Positive Scenarios section below.

BlackKingdomVariant

This scenario simulates ransomware that appears to be written in Python. This type of ransomware uses code elements that are identical to code shared on development forums. This type of ransomware also uses unused or defunct code.

Example: Black Kingdom or GAmmAWare


Collaborator

This scenario simulates ransomware that uses multiple processes to encrypt files. In this scenario, executable code calls on other processes to enumerate the test files. Then, the original files are encrypted, moved, and deleted.

Example: Currently, there aren’t any examples of this scenario. However, your endpoint protection software should be prepared to detect and stop this type of attack.


CritroniVariant

This scenario simulates ransomware that encrypts files using an uncommon attack pattern.

Example: Critroni or CBT


DearCryVariant

This scenario simulates ransomware that encrypts files by copying the files then deleting the original files. The encryption method used in this scenario does not need to contact the attacker's command-and-control server to encrypt files.

Example: DearCry


DjVuVariant

This scenario simulates methods used by DjVu ransomware. Typically used to attack large organizations, DjVu encrypts copies of targeted files and deletes the original files.

Example: DjVu


HollowInjector

This scenario simulates ransomware that uses process hollowing to inject malicious code into a legitimate process.

Example: Jaff or GandCrab


Injector

This scenario simulates ransomware that encrypts files by injecting malicious code into a legitimate process. This type of ransomware injects code by using a common method, such as dynamic link library (DLL) injection.

Example: GandCrab


InsideCryptor

This scenario simulates ransomware that encrypts files and adds the encrypted data to the original file.

Example: PClock


LockyVariant

This scenario simulates a variant of Locky ransomware. This scenario only simulates the method Locky uses to infect files, not its encryption algorithm.

Example: Locky


MazeVariant

This scenario simulates methods used by Maze ransomware.

Example: Maze


Mover

This scenario simulates ransomware that encrypts files and moves the files to a subfolder of the original folder.

Example: Alpha

PaymerVariant

This scenario simulates methods used by ransomware such as DoppelPaymer.

Example: DoppelPaymer


PhobosVariant

This scenario simulates methods used by Phobos ransomware. Typically used to attack small organizations, Phobos encrypts copies of targeted files and deletes the original files.

Example: Phobos


ReflectiveInjector

This scenario simulates ransomware that uses an advanced method to inject encryption code into a legitimate process.

Example: Chimera or Rokku


Replacer

This scenario simulates an attack performed by ransomware that overwrites the content of files that have specific extensions, such as .docx or .pdf. The content is overwritten with content in the same format as the original file. Once the content is overwritten, users are asked to pay a ransom to restore the content in the original files.

Example: DirCrypt


RigSimulator

This scenario simulates cryptomining, which mines cryptocurrency by using a computer's CPU.

Example: XMRig


RIPlacer

This scenario tests if machines that are protected by Microsoft controlled folder access are vulnerable to attacks.

Example: Currently, there aren’t any examples of this scenario. However, your endpoint protection software should be prepared to detect and stop this type of attack.


SlowCryptor

This scenario simulates ransomware that encrypts files slowly to avoid detection.

Example: FCrypt variant


Streamer

This scenario simulates ransomware that encrypts multiple files and moves the encrypted data into a single file.

Example: Bart


StrongCryptor

This scenario simulates an attack performed by most types of ransomware. For each test file, RanSim creates a new file that contains the encrypted content in the test file. Then, RanSim overwrites the content from the original test file and deletes that file.

Encryption is performed using AES.

Example: CryptoLocker variant without net communication


StrongCryptorFast

This scenario simulates an attack performed by many types of ransomware. For each test file, RanSim creates a new file that contains the encrypted content of the original test file. Then, RanSim deletes all the original test files so that only the encrypted versions of the test files remain.

Encryption is performed using AES.

Example: CryptoLocker


StrongCryptorNet

This scenario simulates an attack performed by many types of ransomware. For each test file, RanSim creates a new test file that contains the encrypted content of the original test file. Then, RanSim deletes the original test file.

Encryption is performed using AES. In this scenario, RanSim also attempts to create an HTTP connection to IP address 127.0.0.1 on port 23054 to send the encryption key.

Example: CryptoLocker variant with command-and-control server communication

ThorVariant

This scenario simulates a variant of Thor ransomware. This scenario only simulates the methods Thor uses to infect files, not its encryption algorithm.

Example: Thor


VirlockVariant

This scenario simulates complex ransomware. This scenario relies on a “watchdog” process that waits for another scenario to be started first. Then, if the other scenario is blocked, this scenario will recreate the other scenario and restart it.

Example: Virlock


WeakCryptor

This scenario simulates an attack performed using a weak type of encryption. For each test file, RanSim creates a new test file that contains the encrypted content of the test original file. Then, RanSim deletes the original test file.

In this scenario, encryption is simulated by compressing the original file content by using GZip. Then, the first byte of the result, 0x1F, is replaced with with 0x00.

Example: TeleCrypt

False Positive Scenarios

In addition to 23 ransomware scenarios, RanSim will also run two false positive scenarios on your computer. False positives are files or programs that are incorrectly labeled as malicious and blocked by your endpoint protection software.

RanSim’s two false positive scenarios are called the Archiver and the Remover. If either of these scenarios are blocked by your endpoint protection software, your Incorrectly Blocked results in RanSim will increase. For more information about viewing results, see the Analyzing Your RanSim Results section below.

If the false positive scenarios are blocked, your RanSim results may not be an accurate measure of your endpoint protection software’s effectiveness.

Important:Unfortunately, we cannot prevent your endpoint protection software from blocking the false positive scenarios.

Analyzing Your RanSim Results

Once RanSim has finished running all of the ransomware and false positive scenarios, you can view your results in the KnowBe4 RanSim window.

In the Vulnerable, Not Vulnerable, and Incorrectly Blocked boxes at the top-left corner of the window, you can view the number of scenarios in each status. Ideally, your results will display as 0/23 Vulnerable scenarios, 23/23 Not Vulnerable scenarios, and 0/2 Incorrectly Blocked scenarios.

In the KnowBe4 RanSim window, you can also view a circle graph and table with more information about your results. The circle graph displays information about the type of vulnerable files found, such as documents or pictures. The table displays information about each scenario, including the scenario’s name and status, a description of the scenario, and the file path for the encrypted test files.You can also click the Export to CSV link at the top-right corner of the Scenarios section to download a CSV file. This CSV file contains information about your RanSim results.

Can't find what you're looking for?

Contact Support