RanSim Ransomware Simulator test and discussion thread

It seems the free version of Avast does not catch the "replacer" variant test. Also, Avast free gets 9/10 with signatures alone (i.e. Cybercapture and Hardened mode off)

 

I guess Malwarebytes blocked or stopped one or more exe that are essential for RanSim to run correctly.
If Malwarebytes blocks or stops RanSim.exe, Launcher.exe and/or RanSimSetup.exe, RanSim doesn't run as intended.
You may have to whitelist those three RanSim exe in Malwarebytes settings.

See documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:
"My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious.
If this occurs, it is a false positive. There is no dangerous code in the files, and these files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are simply the framework with which run the Ransomware simulation, so you can (and should!) allow them to run."

 

tried to install it with all security software disabled but can not disable cylance and it grabbed a dotnet dll on install.

 

Yes, cruelsister seems to think its reasonable at doing as it claims, good enough for me, I'll be using it on that

 

I must have my CFW configured wrong, as it went 0/10. Webroot was perfect going 10/10.

 

Clocks- I'll be putting out a CF10 setup video next week. It does protect against ransomware totally. God knows I've tried to breach it with ransomware (including self-coded nasty stuff) and so far have been unable to do so.

 

So the sandbox works at least
I love to see how products totally protect against something with the following approach. If the file is in my whitelist,OK, if not the files get totally isolated and blocked. Yes very practical and useful in real life in particular when tons of files aren't part of that whitelist. Crappy approach to security that requires human intervention and decision for every file not in the whitelist

I wonder why the other vendors don't do the same since several of them have a sandbox. They might be stupid or they must be doing something better and more intelligent

 

LR- You hate Comodo. We get it. Move on (and I guess you must really the the Avira and Avast videos).

 

I don't hate comodo I use the firewall, but is not fair to see people eating the magic ball sold by Melih. It is not true and it does not work in real life.
Default deny is only allow what you know is good, any hips anti exe can do that, and running the files in a sandbox doesn't solve the problem
Any anti exe will block the 100% of malware of any kind, why don't you test it, make a video an claim how good it is? Would you look stupid? Do you look any better doing the same with Comodo?

 

Yes of course and we all know that isolated apps runs well, no incompatibilities and you don't lose any change made with the isolated app. I wonder why we don't run all the apps isolated even the os if it's such a great idea.

"If you see that the file isolated is not malicious?" (I love this part) And this is thanks to the sanbox? Is the way to be 100% sure if a file is malicious or not, lol. Then why all the enterprise APT products and some cloud av that use this tech in virtual os don't detect the 100% of malware?

BTW the huge list is mainly based on certs, any malware with a stolen cert can bypass Comodo, or you can simply registered a cert and then use it for malware and say that it was stolen. It has happend.

 

AVLab.pl for which I posted a link to test report previously tested three vers. of Comodo. Ver. 10 was beta at that time, so note the testor's comment.

Cloud Anti-virus - 28/28 - i.e. 100%
Ver. 8 - 26/28 - i.e. 93%
Ver. 10 beta * - 15/28 - i.e 54%

* Comodo Internet Security Pro 10 BETA failed to respect the automatic sandbox module settings, which is the core protection against unknown malware. During testing, stable version hasn’t been available yet, so don’t put an equal sign between BETA and stable version results of Comodo Internet Security Pro 10.​

 

And the chanelogs since then didn't say a word about fixing any of this, neither the final version.
On the other hand the good result of Comodo Cloud AV is because is a FP machine generator.

 

Just ran RanSim against AppCheck free and it stopped all except Streamer and InsideCryptor which is the two HMP.A and several others failed against.

 

Hi

For me AppCheck's score is 10/10. I'm running it on Win 10 Pro 64-bit

If you have HMPA you must disabled its exploit and all anti-ransomware features

 

I think its time for a "I can't see the forest because of the trees" analog.

What this simulator and others like it are performing are activities done after you have been infected with ransomware. The whole purpose of using a security solution in the first place is to prevent the ransomware payload from installing itself. Ransomware mitigation like this or for any another other type of malware once installed is akin to fighting a battle where your odds of winning are slim at best.

The Tests

RanSim currently runs ten ransomware simulation scenarios. Each such simulation runs by an independent executable. The names of the executables are different each time they launch. These executables are located under corresponding My Documents\RanSim\TestDirectories\Scenarios\<Scenario Name> folders.​

 

No, HMPA does not fail against InsideCryptor.
As mentioned in my start post:

This was confirmed by Erik Loman, HMPA developer:

 

I'm using Win 7 64-bit, not sure if that makes the difference. It could be that Win 10 enforces a stronger restriction ploicy.

Yes, I was aware of that. It's possible that if as Eric said there is a bug then others are are giving a false result as well.

 

That's OK.
I just wanted to get clear that it is not HMPA that fails against InsideCryptor, but that there is a bug in RanSim.
Which is not the same, of course!

 

Also ran RanSim against SBGuard. This software appears to rely mainly on SRP - info on their website here

https://www.sydneybackups.com.au/sbguard-anti-ransomware/

This seems to neuter RanSim's (and real ransomware) ability to touch or see the documents folder at all. An interesting approach.
My only concern is that there doesn't appear to be a way to protect the pictures folder.

 

Well, it's very simple, that restricts access to ransim.exe, as shown in your screen capture.

As mentioned before, a couple of times, already,
if security software blocks or stops RanSim.exe, Launcher.exe and/or RanSimSetup.exe, RanSim doesn't run as intended.
You may have to whitelist those three RanSim exe in SBGuard settings (if possible).

See documentation, FAQ, My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious:
"My antivirus flagged RanSim.exe, Launcher.exe, or RanSimSetup.exe as malicious.
If this occurs, it is a false positive. There is no dangerous code in the files, and these files are not doing any testing/recording in regards to whether your system passes/fails the simulation of ransomware. They are simply the framework with which run the Ransomware simulation, so you can (and should!) allow them to run."


Edit:
I added that information in the start post, as not everyone seems to notice that essential information in the RanSim documentation.

 

Can somebody test it against AppGuard....considering that VoodooShield was tested at MalwareTips and passed all the 10 tests?

 

Do you have HMPA as well? If yes, you'll have to disable its exploit and all anti-ransomware features before testing RanSim against AppCheck

 

I am well aware that you have to allow the exe IF they show. In SBGuard and AppCheck there is no pop-up for any of them and no where that you can white list them anyway.

 

You cannot test against AppGuard, it simply stops the installer from running.

No, I Don't have HMP.A installed at the moment. I simply load up only the tools I want to test under Shadow Defender and than reboot when I've finished and load up the next test.

 

There seems to be a new version of RanSim for download - 1.0.2.4.
Perhaps this corrects the bug Eric found. Will have a play later.