RanSim Ransomware Simulator test and discussion thread

Yes,you're right,I was unable to install Ransim without shutting down ZAL & NVTERP ß (in spite of whitelisting .exe's in ZAL ?!). Foltyn SecurityShield ß is bugged on my system,and can't be turned off,so idea was to let him than take the hit.
Frankly, I didn't expect it to do the job,but it did.

 

I had to shutdown ZAM, Bitdefender fee-2016,and KAR, to install RanSim...
It ran and gave a false positive on InsideCryptor.

HMP.A caught all the attempts and no file was really encrypted, but restored.

BTW:
I registered with real name and phone number, and since that Be4 is flooding me with phone calls and emails...

 

Yes I agree, would be cool if you released it.

Interesting, too bad they don't offer a standalone HIPS anymore, like they did with Mamutu.

This is probably because it doesn't watch for suspicious file modification, it tries to stop malware in an earlier phase.

 

New version released - RanSim Ransomware Simulator v1.0.3.4:

 

Thanks for reporting, mood.

Regarding the "How it Works" technical background and FAQ that you mentioned, that is the same RanSim documentation article that I mentioned in the start post of this thread.

 

Now i see that they are the same . They called it that way on the download-page, so i did it too. But "Documentation" is better.

------
I can't edit my previous post, so i do it here:

For further information about RanSim, see #1
There is also a bug mentioned which affects RanSim. Perhaps it was solved with the new version v1.0.3.4, but i have not tested it yet.

Edit: They have added two "False Positive Scenarios" in the Documentation.
Installed Security software should only block 10 ransomware scenarios and should allow the 2 false positive scenarios (the "Archiver" and "Remover" which are responsible for creating and deleting the test files)

 

Don't worry about it, mood.
Better mentioned more than once, than not mentioned at all.

That's odd.
When you are logged in, there should be an Edit button in your recent posts.

 

It has a 12 hours deadline, iirc.

 

Last November, JRViejo mentioned,

 

I've sent a pm to JRViejo and Stapp a few minutes ago. Let's see what they say.

 

The only difference is that there are now two false positive scenarios (detailed in the new "documentation") which shouldn't be blocked.
Both HMP.A and AppCheck results still show "InsideCryptor" as Vulnerable although they have been blocked (should have fixed that bug by now). Both blocked "Archiver" and correctly let remover run.

 

I get vastly different results using the latest version. Avast in hardened mode scored only 4/10 blocks. And ZAM 0/10.

 

Although RanSim is both innocuous and fun to use, I feel that they were a bit too cute with this version. My issue is with what they consider "False Positives". They include two in this version:

1). The first is what amounts to a script that deletes files. Granted that ransomware will not work by deleting files initially (one can't ransom something that no longer exists), many destructive Scriptors (KillFile, KillDisk, CS Rootkit Analyzer) will work this way. So if whatever security solution you are testing against RanSim stops this process, it is far, far from a "False Positive". It is a good thing.

2). This one was troubling. RanSim will attempt to archive files via gzip. If your security solution stops this it would (according to RanSim) be considered a FP fail. Sadly what the developers either forgot or are ignorant of, certain ransomware (rare, but extent, an example being the original BART) will operate by just this mechanism. I've documented this in a number of my videos- the ransomware will archive the targeted files while simultaneously password protecting these archives. Paying the ransom will hopefully provide you with these passwords. Once again, stopping this process if far, far from a False Positive- it is actually Protection.

So guys- if whatever your favorite security application is "failed" in the RanSim FP section, understand that this would be a very good thing (I think KnowBe4 are getting too Full of themselves).

 

CS do you think that is only because the most wanted by the FBI in the past works for this company? Kevin Mitnick. the guru of social engineering. the programs I have installed won't even let me install this program which is a plus s far as I am concerned. even if I disabled all my protection , I would only install this in shadow mode.

 

Thanks.
So they added a new "False Positive-feature" in v1.0.3.4 but haven't fixed the "InsideCryptor"-bug from the previous version:

 

BoreDog- having a former Blackhat as part of a Startup security company is fairly standard in the US. Normally you will have a money man, then another (often someone recently retired from the military for Gravitas), and a Blackhat who actually knows malware and security. My issue wasn't with the application itself (which is safe), but with the conclusions a newbie may draw from the False Positive portion. I think Kevin may be spending too much time on his yacht and forgot about BART.

But the thing one must remember is that these test simulators are but a fun way to pass a boring afternoon and should not be viewed as the Word of God.

ps- the BEST way to get a really good job at a Security Startup is to be arrested for computer crimes. The younger one is at the time of arrest, the better (I'm very serious about this).

 

Absolutely... I could not agree more, thank you CS!

Besides, false positives were simply an annoyance before ransomware, now they are a requirement . Basically, there should be no discussion of false positives until the security product can demonstrate an efficacy approaching 100%.

 

New version 1.1.0.7 available. This has the same test scenarios as the last version but laid out differently. The real difference is after Ransim has been run you have the option to add your own custom folders.

 

New version available - RanSim Ransomware Simulator v1.1.0.76
no changelog available

 

So is this the end of the RanSim series? This thread stopped cold in 2017 and i wouldn't have even bothered posting to it but was curious if now current 2021 scenarios for such similar test ransomware simulators are around and improved enough for our members to safely but adequately test our own personal PC security systems against such.

The daily news is still chalked full of ransomware breach popularity mostly and chiefly within industry and oodles of other public services in every walk of life it seems.

 

@EASTER,
I haven't used RanSim since a long time.
I don't know what the latest version was, but I find a 9 November 2020 blog post Brand-New Ransomware Simulator Now With 21 Latest Infection Scenarios.
The RanSim version currently offered says 5 November 2020 in file properties details.
So it looks like RanSim was still developed, at least till half a year ago.

 

Thanks @Stupendous Man - Is there any straight link like before where you don't have to fill out a form to download? Like others i find its ludicrous to fill out forms when its supposedly a test proggy.

 

I filled the form with bogus info, even the e-mail field, and the "Thanks for requesting your KnowBe4 RanSim Tool!" page opened. That page offers a download link and a password for the protected zip file.
I don't think it is allowed to give the download link here. But as I said, you can fill the form with bogus info and get the download link and the password.