RanSim Ransomware Simulator test and discussion thread

KnowBe4 offers the RanSim Ransomware Simulator.

I noticed there was need for a dedicated thread to discuss RanSim and RanSim test results.
This is the thread to do so.

About RanSim:
- RanSim offers a harmless simulation of a real ransomware infection.
- It does not use any of your own files.
- Currently, it tests 10 types of infection scenarios.
- You can just download the installer and run it.
- For detailed information, please see the RanSim documentation.

N.B.
If security software blocks or stops RanSim.exe, Launcher.exe and/or RanSimSetup.exe, RanSim does not run as intended. You may need to whitelist those three RanSim exe in your security software.
See documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:

N.B.
There is a bug in RanSim (v1.0.2.1 - v1.0.2.4) that shows "Vulnerable" for the InsideCryptor test scenario result when testing HitmanPro.Alert, while HitmanPro.Alert does protect against InsideCryptor.
The HitmanPro.Alert developers contacted KnowBe4 regarding this bug.
Also see Erik Loman's posts #33 and #95 regarding this matter.

N.B.
Your anti-ransomware solution may or perhaps may not stop the Streamer test scenario. Don't worry about that, as that is not very relevant, as Streamer puts encrypted data into a single archive file, but only deletes the original files, so those can be recovered using recovery software.
Well, that was the case up to and including RanSim v1.0.2.2.
With RanSim v1.0.2.4, KnowBe4 may have changed Streamer's behavior slightly by touching the originals (as normal ransomware would). See Erik Loman's post #95.

 

Why do they want my personal data before they allow me to download the ransomware simulator? No, thanks, I'll pass.

 

Yeah, I never like that, either.
But it is simple to get the RanSim download with filling in a fantasy name of your choice, a Mailinator e-mail address of your choice, and all zeros for your phone number.

 

Try this link:

 

Thanks, @mood .

 

I know, but I don't know if KnowBe4 likes it a lot if we offer that link.
As I don't know if it is allowed, I didn't want to offer that link.

 

If anyone is interested in RanSim test results for G Data IS,
I tested G Data IS 25.3.0.1 with AntiRansomware module, using RanSim version 1.0.2.2.
Results of that test are in the "G Data Internet Security version 2017" thread.

 

http://i.imgur.com/HQeeZfS.jpg http://i.imgur.com/HQeeZfS.jpg Avast alone passes this test...



Email skip etc bypass allowed?


https://www.knowbe4.com/typ-ransim-form?submissionGuid=5527c6f0-bf51-41d8-9122-ab728fbe91ed

 

The link is mentioned in the VS-thread since 5 weeks and the link is in the sourcecode of the website.
After clicking on "Get RanSim!" under the formular it redirects to it:

It's not really a secret or "circumvention", it's only a little shortcut

And if it were a problem, a moderator would have deleted the link in the VS-thread long time ago

 

Ahh, sorry I didn't realise you had already posted it!....I was questioning my own post and validity

 

Didn't even work in Sandboxie..

https://drive.google.com/open?id=0B8WQop-a0k_KZTBhak51bmV3Wnc

 

Tested on crpytoprevent and bitdefender (anti ransom), both completely failed on my laptop.

 

OK just tested G Data AV v25.3.0.1, RansomFree v2.1.1.0 and HMPA independently against RanSim 1.0.2.2

8/10 - G Data failed both Streamer and InsideCryptor

9/10 - HMPA failed Streamer only

0/10 - RansomFree failed ALL!!

Wish RanSim can come out one with 30 or more ransomwares for testing purpose

 

Ransomware Simulator "RanSim" 1.0.2.2
http://www.majorgeeks.com/files/details/ransomware_simulator_ransim.html

 

As I replied in the "G Data Internet Security version 2017" thread, as well:

That is interesting.

On my test-system, G Data failed several more, see my test in the "G Data Internet Security version 2017" thread.

And on my test-system, HMPA does not stop the Streamer test scenario, but it does stop InsideCryptor test scenario, however RanSim version 1.0.2.2 shows "Vulnerable" for InsideCryptor anyhow, which is a bug according to the HMPA developers.
N.B. Please see my notes 1 and 2 in my initial RanSim Ransomware Simulator test and discussion thread post.

Your different outcome makes me wonder what your settings for G Data and for HMPA are, and whether these are different from mine.
Also your Windows version may be relevant. As stated in my signature, I use Windows 7 x64.

And also it makes me wonder if, with your test, G Data may have blocked part of the RanSim test functionality, so that RanSim didn't run correctly.
On my system, for RanSim to run correctly, I had to whitelist a few RanSim files in G Data settings.
(G Data Settings\ AntiVirus\ Real-time protection\ Exceptions)
See RanSim documentation, FAQ, "My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious."
If G Data silently blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.

 

Looking though their FAQ's they don't seen to suggest that any AV adjustments need be made in fact one reads thus:

It is important to NOT turn off your antivirus at any point during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file. If that happens, you will need to un-quarantine the file and start over.

 

It makes me wonder if, with your test, Avast may have blocked part of the RanSim test functionality, so that RanSim didn't run correctly.
On my system, for RanSim to run correctly, I had to whitelist a few RanSim files in G Data antivirus settings.
See RanSim documentation, FAQ, "My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious."
If Avast blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.

 

I know, but if any antivirus software blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.

As mentioned in RanSim documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:
"My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious.
If this occurs, it is a false positive. There is no dangerous code in the files, and these files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are simply the framework with which run the Ransomware simulation, so you can (and should!) allow them to run."

 

Avast doesn't seem to have blocked exe's....


https://postimg.org/image/zamyxp2j1/

 

I don't know Avast, so I can't say anything about how it operates.
I could imagine some reports could be in other Avast logs.
Perhaps other Avast users may know.
Just be sure RanSim.exe, Launcher.exe and RanSimSetup.exe are not blocked in any way. To be sure, you may want to whitelist those exe's in Avast.

 

Hi

I'm using Win 10 Pro 64-bit

I've to exit Zemana Antilogger. Removed HMPA. Make exceptions in G Data AV (same as yours) before I can perform RanSim test. Similarly, for testing with HMPA alone by removing G Data AV and exit Zemana Antilogger

Now, my G Data AV features

a) exploit protection (using HMPA)
b) email protection (I'm using only web-based emails)
c) keylogger protection (disabled HMPA's keylogger as well and using Zemana Antilogger)
d) BadUSB (using HMPA)
e) BankGuard (using Zemana Antilogger)

are turned off for I'm using HMPA and Zemana Antilogger to cover them

One thing I'm not sure. Does the email protection feature protects web-based emails as well? I don't think so, right?

 

@NiteRanger,
Thanks very much for your reply.
Perhaps I'll test G Data IS and HMPA again, later, using modified settings.
However, I will not uninstall G Data or HMPA like you did for testing, I'm only going to use modified settings.
Thanks again.

 

Why would you want to run RanSim in Sandboxie? That makes no sense.
And I didn't follow your Google Drive link. Why would I want to access files on your Google Drive? If you like to add images or whatever for us to see, you can use the Wilders "Upload a File" option.

 

Hadn't noticed this thread before due to Christmas festivities
I have tested several set up's since Dan posted the link in the Voodoo Shield thread a few weeks ago.
The only one's I have tested that have passed all 10 are Avast free and IS, WSA and EIS.
Had to either whitelist or set exceptions in all of them for setup.exe, launcher.exe and also launcher.bak and datacollector.exe if they were flagged (not all flagged the last two so I assume they were not detected as malicious).
I tested the standalone Kaspersky Anti Ransomware and it failed completely. It's possible that it works against real Ransomware but fails this test because it uses a different detection method.
Voodooshield of course passes all 10 as does EIS so I ran them both together to see which one would react first. VS actually blocks any execution at all so EIS never gave a squeak at all as there was nothing for it's behaviour blocker to react to.

I had the same result - probably because RanSim was unable to install a driver?

I set exceptions for Setup.exe Launcher.exe etc and then re ran the test and got a pop-up for each one of the 10 tests.