RanSim Ransomware Simulator test and discussion thread

Discussion in 'other anti-malware software' started by Stupendous Man, Dec 26, 2016.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    KnowBe4 offers the RanSim Ransomware Simulator.

    I noticed there was need for a dedicated thread to discuss RanSim and RanSim test results.
    This is the thread to do so.

    About RanSim:
    - RanSim offers a harmless simulation of a real ransomware infection.
    - It does not use any of your own files.
    - Currently, it tests 10 types of infection scenarios.
    - You can just download the installer and run it.
    - For detailed information, please see the RanSim documentation.

    N.B.
    If security software blocks or stops RanSim.exe, Launcher.exe and/or RanSimSetup.exe, RanSim does not run as intended. You may need to whitelist those three RanSim exe in your security software.
    See documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:
    N.B.
    There is a bug in RanSim (v1.0.2.1 - v1.0.2.4) that shows "Vulnerable" for the InsideCryptor test scenario result when testing HitmanPro.Alert, while HitmanPro.Alert does protect against InsideCryptor.
    The HitmanPro.Alert developers contacted KnowBe4 regarding this bug.
    Also see Erik Loman's posts #33 and #95 regarding this matter.

    N.B.
    Your anti-ransomware solution may or perhaps may not stop the Streamer test scenario. Don't worry about that, as that is not very relevant, as Streamer puts encrypted data into a single archive file, but only deletes the original files, so those can be recovered using recovery software.
    Well, that was the case up to and including RanSim v1.0.2.2.
    With RanSim v1.0.2.4, KnowBe4 may have changed Streamer's behavior slightly by touching the originals (as normal ransomware would). See Erik Loman's post #95.
     
    Last edited: Dec 30, 2016
  2. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    979
    Why do they want my personal data before they allow me to download the ransomware simulator? No, thanks, I'll pass.
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    Yeah, I never like that, either.
    But it is simple to get the RanSim download with filling in a fantasy name of your choice, a Mailinator e-mail address of your choice, and all zeros for your phone number.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,851
    Try this link:
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    979
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    I know, but I don't know if KnowBe4 likes it a lot if we offer that link.
    As I don't know if it is allowed, I didn't want to offer that link.
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    If anyone is interested in RanSim test results for G Data IS,
    I tested G Data IS 25.3.0.1 with AntiRansomware module, using RanSim version 1.0.2.2.
    Results of that test are in the "G Data Internet Security version 2017" thread.
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,123
    Location:
    UK
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,851
    The link is mentioned in the VS-thread since 5 weeks and the link is in the sourcecode of the website.
    After clicking on "Get RanSim!" under the formular it redirects to it:
    It's not really a secret or "circumvention", it's only a little shortcut :)

    And if it were a problem, a moderator would have deleted the link in the VS-thread long time ago
     
  10. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,123
    Location:
    UK

    Ahh, sorry I didn't realise you had already posted it!....I was questioning my own post and validity o_O
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    967
  12. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,123
    Location:
    UK
    Tested on crpytoprevent and bitdefender (anti ransom), both completely failed on my laptop.
     
  13. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    577
    Location:
    Far East
    OK just tested G Data AV v25.3.0.1, RansomFree v2.1.1.0 and HMPA independently against RanSim 1.0.2.2

    8/10 - G Data failed both Streamer and InsideCryptor

    9/10 - HMPA failed Streamer only

    0/10 - RansomFree failed ALL!!

    Wish RanSim can come out one with 30 or more ransomwares for testing purpose
     
    Last edited: Dec 27, 2016
  14. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    5,812
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    As I replied in the "G Data Internet Security version 2017" thread, as well:

    That is interesting.

    On my test-system, G Data failed several more, see my test in the "G Data Internet Security version 2017" thread.

    And on my test-system, HMPA does not stop the Streamer test scenario, but it does stop InsideCryptor test scenario, however RanSim version 1.0.2.2 shows "Vulnerable" for InsideCryptor anyhow, which is a bug according to the HMPA developers.
    N.B. Please see my notes 1 and 2 in my initial RanSim Ransomware Simulator test and discussion thread post.

    Your different outcome makes me wonder what your settings for G Data and for HMPA are, and whether these are different from mine.
    Also your Windows version may be relevant. As stated in my signature, I use Windows 7 x64.

    And also it makes me wonder if, with your test, G Data may have blocked part of the RanSim test functionality, so that RanSim didn't run correctly.
    On my system, for RanSim to run correctly, I had to whitelist a few RanSim files in G Data settings.
    (G Data Settings\ AntiVirus\ Real-time protection\ Exceptions)
    See RanSim documentation, FAQ, "My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious."
    If G Data silently blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.
     
  16. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,123
    Location:
    UK
    Looking though their FAQ's they don't seen to suggest that any AV adjustments need be made in fact one reads thus:

    It is important to NOT turn off your antivirus at any point during this process. In order to have an accurate and meaningful ransomware simulation test, your antivirus must be configured and operating as it normally would.

    If the files are flagged as malicious, certain antiviruses may provide a warning, which will allow you to let the file run, quarantine it, or block it. Other antiviruses, however, may not give you an option--it could automatically block and quarantine the file. If that happens, you will need to un-quarantine the file and start over.
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    It makes me wonder if, with your test, Avast may have blocked part of the RanSim test functionality, so that RanSim didn't run correctly.
    On my system, for RanSim to run correctly, I had to whitelist a few RanSim files in G Data antivirus settings.
    See RanSim documentation, FAQ, "My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious."
    If Avast blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.
     
  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    I know, but if any antivirus software blocks RanSim.exe, Launcher.exe and/or RanSimSetup.exe, the RanSim test doesn't run as intended.

    As mentioned in RanSim documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:
    "My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious.
    If this occurs, it is a false positive. There is no dangerous code in the files, and these files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are simply the framework with which run the Ransomware simulation, so you can (and should!) allow them to run."
     
  19. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,123
    Location:
    UK
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    I don't know Avast, so I can't say anything about how it operates.
    I could imagine some reports could be in other Avast logs.
    Perhaps other Avast users may know.
    Just be sure RanSim.exe, Launcher.exe and RanSimSetup.exe are not blocked in any way. To be sure, you may want to whitelist those exe's in Avast.
     
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    577
    Location:
    Far East
    Hi

    I'm using Win 10 Pro 64-bit

    I've to exit Zemana Antilogger. Removed HMPA. Make exceptions in G Data AV (same as yours) before I can perform RanSim test. Similarly, for testing with HMPA alone by removing G Data AV and exit Zemana Antilogger

    Now, my G Data AV features

    a) exploit protection (using HMPA)
    b) email protection (I'm using only web-based emails)
    c) keylogger protection (disabled HMPA's keylogger as well and using Zemana Antilogger)
    d) BadUSB (using HMPA)
    e) BankGuard (using Zemana Antilogger)

    are turned off for I'm using HMPA and Zemana Antilogger to cover them

    One thing I'm not sure. Does the email protection feature protects web-based emails as well? I don't think so, right?
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    @NiteRanger,
    Thanks very much for your reply.
    Perhaps I'll test G Data IS and HMPA again, later, using modified settings.
    However, I will not uninstall G Data or HMPA like you did for testing, I'm only going to use modified settings.
    Thanks again.
     
    Last edited: Dec 27, 2016
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    Why would you want to run RanSim in Sandboxie? That makes no sense.
    And I didn't follow your Google Drive link. Why would I want to access files on your Google Drive? If you like to add images or whatever for us to see, you can use the Wilders "Upload a File" option.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,296
    I am not sure any of the test makes much sense.

    The funny part is I had to allow stuff to run to get the test going so it could run. It was stuff I normally would never run.

    I know the protection on the VM is working as I have been running live malware against it and the setup has yet to be breached. The test result was everything passed, but then it told me I had 118 vulnerable files. I understand what it is saying, but that is very confusing. If my setup is secure, nothing should be vulnerable.
     
  25. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    755
    Hadn't noticed this thread before due to Christmas festivities :D
    I have tested several set up's since Dan posted the link in the Voodoo Shield thread a few weeks ago.
    The only one's I have tested that have passed all 10 are Avast free and IS, WSA and EIS.
    Had to either whitelist or set exceptions in all of them for setup.exe, launcher.exe and also launcher.bak and datacollector.exe if they were flagged (not all flagged the last two so I assume they were not detected as malicious).
    I tested the standalone Kaspersky Anti Ransomware and it failed completely. It's possible that it works against real Ransomware but fails this test because it uses a different detection method.
    Voodooshield of course passes all 10 as does EIS so I ran them both together to see which one would react first. VS actually blocks any execution at all so EIS never gave a squeak at all as there was nothing for it's behaviour blocker to react to.

    I had the same result - probably because RanSim was unable to install a driver?

    I set exceptions for Setup.exe Launcher.exe etc and then re ran the test and got a pop-up for each one of the 10 tests.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.