RanSim FAQs
In this article, you’ll find frequently asked questions (FAQs) about our RanSim tool.
Click the links below to find RanSim FAQs. For general information about RanSim, see our RanSim Product Manual.
Jump to:
General Information
1. Does RanSim simulate the behavior of real ransomware attacks? What are some examples of real ransomware with similar behavior?
Yes, RanSim simulates real ransomware behavior, with minor differences. For example, the encryption keys and algorithms that we use in RanSim are different from the encryption keys and algorithms used in real ransomware.
For more information about RanSim’s ransomware scenarios and false positive scenarios, see our RanSim Product Manual.
2. Does RanSim collect any information about my computer?
The only information RanSim collects is the number of files on your local disks that contain extensions that may be vulnerable to real ransomware attacks.
3. On the KnowBe4 RanSim results window, what does the Executed label mean? How is this label different from the Vulnerable or Not Vulnerable labels?
The Executed label indicates false positive scenarios that were not blocked by your endpoint protection software. If your endpoint protection software is working properly, the Executed label will display next to both of the false positive scenarios.
The Vulnerable and Not Vulnerable labels indicate the results of the ransomware scenarios instead of the false positive scenarios. The Vulnerable label will display next to any ransomware scenario that failed the RanSim test and could be vulnerable to a real ransomware attack. The Not Vulnerable label will display next to any ransomware scenario that did not fail the RanSim test and should be safe from a real ransomware attack.
4. Can I use RanSim to test my own files? For example, can I test my own documents or photos?
Yes, you can test your own files after your first RanSim scan.
To test your own files, follow the steps below:
- At the top-right corner of the KnowBe4 RanSim window, click click here in the Optionally, click here to copy your own test files to the test files folder. section.
- When prompted, select the files you would like to copy to the %systemdrive%\KB4\Newsim|DataDir\TestFiles folder.
After you copy the files and add them to the test folder, you can run additional RanSim scans on those files.
5. When I use RanSim, will any network connections be created? If so, what are these network connections used for?
There is one RanSim ransomware scenario that attempts to open an HTTP connection to 127.0.0.1, port 23054 to send a message containing the encryption key.
Antivirus Software
1. My antivirus software flagged my SimulatorSetup.exe, MainRunner.exe, Collector.exe, or SimulatorSetup.exe file as malicious. What should I do?
These files do not contain dangerous code and should be allowed to run. You can consider them false positives. However, they will not display in your false positives results. For more information about these files, see the list below:
- SimulatorSetup.exe: This file installs RanSim.
- Ranstart.exe: This file is the RanSim interface.
- MainRunner.exe: This file prepares the test environment and launches the RanSim scenarios.
- Collector.exe: This file collects results from each simulation.
If the files are flagged as malicious, certain antivirus software may provide you with a warning. If you receive a warning, you can let the file run, quarantine it, or block it. Other antivirus software may automatically block and quarantine the file. For more information, see the list below:
- If your MainRunner.exe file or Collector.exe file are quarantined before the first RanSim scan, RanSim will attempt to recreate these files when the scan starts. If the files are quarantined again, you will be informed that at least one of the files are missing and advised to ensure they are allowed to run on your computer.
- If your MainRunner.exe file or Collector.exe file are quarantined during a RanSim scan, the scan will be canceled. RanSim will try to recreate the files and you will be advised to scan again. If the files are blocked again, RanSim will not attempt to recreate the files. Instead, you will be asked to ensure the files are allowed to run and then restart RanSim to scan again.
2. My antivirus software did not flag the MainRunner.exe file or the SimulatorSetup.exe file as malicious. However, during a RanSim scan, my antivirus software flagged one or more of the test files as malicious. What should I do?
This behavior is intended. If your antivirus software flags test files as dangerous or malicious, that means your antivirus software is working properly. If your antivirus software blocks or quarantines the test files during a RanSim scan, your antivirus software may successfully block or quarantine ransomware during a real attack.
3. What happens if my antivirus software flags my RanSim installation file as malicious?
Most antivirus software that we have tested do not flag the RanSim installation file as malicious. However, if the file is flagged, you should add the file to the whitelist for your antivirus software. Then, you can attempt to install RanSim again.
4. Windows Security flagged my ransim.zip file as malicious and will not allow me to open the file. What should I do?
To open this file, you can add an exclusion to your Windows Security settings. For more information, see Microsoft's Add an exclusion to Windows Security article.
RanSim Files
1. When I install RanSim, where will my RanSim files be located?
All files will be located in the installation folder, c:\KB4\Newsim or %systemdrive%\KB4\Newsim.
If you uninstall RanSim, the installation folder will be removed from your computer.
2. What subfolders will be located in my \KB4\Newsim installation folder?
To learn about the subfolders that will be located in your \KB4\Newsim installation folder, see the table below:
| Subfolder Name | Subfolder Description |
|
\Newsim\DataDir |
This subfolder represents the simulated environment created by RanSim. |
|
\Newsim\DataDir\TestFiles |
This subfolder contains the test files for the RanSim simulations. |
|
\Newsim\DataDir\MainTests\xx |
Each RanSim scenario has a subfolder with related test files. The subfolder for each scenario is assigned a number. For more information about RanSim scenarios, see our RanSim Product Manual. |
|
\Rassim\DataDir\Tests\xx-Tests |
Each RanSim scenario has a subfolder that contains copies of the test files from the scenario’s \Newsim\DataDir\MainTests\xx test files. For more information about RanSim scenarios, see our RanSim Product Manual. |
3. What file extension is used for the RanSim scenarios?
The RanSim scenarios use a .cxp file extension.
4. What registry keys are created, and where are they located in my registry? If I uninstall RanSim, will these registry keys be removed?
In addition to any entries managed by the msinstaller, RanSim will create the HKEY_CURRENT_USER\SOFTWARE\KnowBe4 Ran Simulator registry key. If you uninstall RanSim, this registry key will be removed.
5. Are any log files generated when I use RanSim? If so, will any entries be added to the Windows Event Log?
In the RanSim logs directory, there are a few CSV files that contain internal information. However, RanSim does add any entries to the Windows Event Log.
Back to top
Comments
0 comments
Article is closed for comments.