RanSim Product Manual
Ransomware Simulator (RanSim) is a tool that simulates ransomware attacks to see how your endpoint protection software might respond in the event of a real ransomware attack. You can use RanSim to see if your endpoint protection software would block ransomware or if it would create false positives. You can also use RanSim to see how specific files would be impacted by ransomware.
Click the links below to learn how to install RanSim, launch RanSim, and view your results. If you prefer video tutorials, you can also watch our RanSim video.
To install and launch RanSim, you will need to meet the requirements listed below:
- Your computer must use Microsoft Windows 10 or newer.
- Your computer must have at least 2 processor cores, 2 GB of RAM, and 100 MB free HDD space.
- Your computer must be able to connect to the internet.
- Your computer must use a .NET Framework 4.5.2 to launch the tool.
Note: However, if your computer does not use this framework, the framework will be installed automatically when you install RanSim.
- To run our RIPlacer ransomware scenario, you must enable controlled folder access. For more information, see the Enabling Controlled Folder Access section of this article.
Once you’ve verified that your computer meets the prerequisites in the Prerequisites section above, you are ready to install RanSim.
To install RanSim, follow the steps below:
- Navigate to knowbe4.com/ransomware-simulator in your browser.
- Fill out the fields in the I want my RanSim download form.
- Click Get RanSim!.
- Click the Click Here To Download RanSim link. When you click this link, the ransim.zip file will download to your computer.
- Double-click the ransim.zip file in your file manager.
- Then, double-click the SimulatorSetup.exe file. When you double-click this file, you will be prompted to enter a password.
- Enter "knowbe4" in the field to begin installing RanSim on your computer.
Once RanSim has finished installing, an “Installation Successfully Completed” message will display in the KnowBe4 RanSim Setup window. To learn how to launch RanSim, see the Launching RanSim section below.
Enabling Controlled Folder Access
To run the RIPlacer ransomware scenario, Microsoft controlled folder access must be enabled on your computer.
To learn how to enable controlled folder access manually or through Group Policy, click the links below:
Enable Controlled Folder Access Manually
To enable controlled folder access manually, follow the steps below:
- Click the Windows button and enter "Ransomware protection" into the search bar.
- Turn on the Controlled folder access option.
- Add the following folder paths to the Protected Folders section:
- Navigate back to the Ransomware protection screen and click the Allow an app through Controlled folder access link.
- Add the following applications to the allow list:
Enable Controlled Folder Access Through Group Policy
To enable controlled folder access through Group Policy, follow the steps below:
- Open your Group Policy Management Console.
- Right-click on the Group Policy Object you want to configure and click Edit.
- In the Group Policy Management Editor, go to Computer configuration.
- Click Policies, then click Administrative templates.
- Expand the directory tree to Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access.
- Double-click the Configure Controlled folder access setting, then click Enabled.
- Set the Guard My Folders Feature setting to Monitor.
- Configure the protected folders and allowed applications. You can find this information in steps 3, 4, and 5 in the Enable Controlled Folder Access Manually subsection above.
To launch RanSim, follow the steps below:
- In the KnowBe4 RanSim Setup window, click Launch. Or, double-click the KnowBe4 Ran Simulator icon on your computer.
- In the Welcome to KnowBe4 Ransim window, click the Check now button. When you click this button, RanSim will start running the ransomware simulations on your computer, including 23 ransomware scenarios and two false positive scenarios. To learn more about these ransomware scenarios and false positive scenarios, see the Ransomware Scenarios and False Positive Scenarios sections below.
You can view the scenarios’ progress in the KnowBe4 Ransim window.
Once RanSim has run all the scenarios, your results will display. You can view the results for each scenario, including Vulnerable scenarios, Not Vulnerable scenarios, and Incorrectly Blocked scenarios. For more information about viewing and analyzing your results, see the Analyzing Your RanSim Results section below.
By default, the RanSim display language will be set to English (United States). However, you can also select Spanish (Spain) or French (France).
To change your language settings, click the current language link at the bottom-right corner of the client. When you click, the Display Language modal will open and you can select a language from the drop-down menu.
When launched, RanSim will run 23 ransomware scenarios on your computer. To learn more about each scenario, see the table below:
False Positive Scenarios
In addition to 23 ransomware scenarios, RanSim will also run two false positive scenarios on your computer. False positives are files or programs that are incorrectly labeled as malicious and blocked by your endpoint protection software.
RanSim’s two false positive scenarios are called the Archiver and the Remover. If either of these scenarios are blocked by your endpoint protection software, your Incorrectly Blocked results in RanSim will increase. For more information about viewing results, see the Analyzing Your RanSim Results section below.
If the false positive scenarios are blocked, your RanSim results may not be an accurate measure of your endpoint protection software’s effectiveness.
Analyzing Your RanSim Results
Once RanSim has finished running all of the ransomware and false positive scenarios, you can view your results in the KnowBe4 RanSim window.
In the Vulnerable, Not Vulnerable, and Incorrectly Blocked boxes at the top-left corner of the window, you can view the number of scenarios in each status. Ideally, your results will display as 0/23 Vulnerable scenarios, 23/23 Not Vulnerable scenarios, and 0/2 Incorrectly Blocked scenarios.
In the KnowBe4 RanSim window, you can also view a circle graph and table with more information about your results. The circle graph displays information about the type of vulnerable files found, such as documents or pictures. The table displays information about each scenario, including the scenario’s name and status, a description of the scenario, and the file path for the encrypted test files.You can also click the Export to CSV link at the top-right corner of the Scenarios section to download a CSV file. This CSV file contains information about your RanSim results.