RanSim Ransomware Simulator test and discussion thread

Discussion in 'other anti-malware software' started by Stupendous Man, Dec 26, 2016.

  1. jaodsvuda

    jaodsvuda Registered Member

    Joined:
    Feb 27, 2011
    Posts:
    160
    Yes,you're right,I was unable to install Ransim without shutting down ZAL & NVTERP ß (in spite of whitelisting .exe's in ZAL ?!). Foltyn SecurityShield ß is bugged on my system,and can't be turned off,so idea was to let him than take the hit.
    Frankly, I didn't expect it to do the job,but it did.
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    942
    Location:
    Baden Germany
    I had to shutdown ZAM, Bitdefender fee-2016,and KAR, to install RanSim...
    It ran and gave a false positive on InsideCryptor.

    HMP.A caught all the attempts and no file was really encrypted, but restored.

    BTW:
    I registered with real name and phone number, and since that Be4 is flooding me with phone calls and emails...
     
    Last edited: Jan 4, 2017
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,127
    Location:
    The Netherlands
    Yes I agree, would be cool if you released it.

    Interesting, too bad they don't offer a standalone HIPS anymore, like they did with Mamutu.

    This is probably because it doesn't watch for suspicious file modification, it tries to stop malware in an earlier phase.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,782
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    Thanks for reporting, mood.

    Regarding the "How it Works" technical background and FAQ that you mentioned, that is the same RanSim documentation article that I mentioned in the start post of this thread.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,782
    Now i see that they are the same :oops:. They called it that way on the download-page, so i did it too. But "Documentation" is better.
    ------
    I can't edit my previous post, so i do it here:
    For further information about RanSim, see #1
    There is also a bug mentioned which affects RanSim. Perhaps it was solved with the new version v1.0.3.4, but i have not tested it yet.

    Edit: They have added two "False Positive Scenarios" in the Documentation.
    Installed Security software should only block 10 ransomware scenarios and should allow the 2 false positive scenarios (the "Archiver" and "Remover" which are responsible for creating and deleting the test files)
     
    Last edited: Feb 2, 2017
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    Don't worry about it, mood.
    Better mentioned more than once, than not mentioned at all.

    That's odd.
    When you are logged in, there should be an Edit button in your recent posts.
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,727
    Location:
    Mexico
    It has a 12 hours deadline, iirc.
     
  9. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,191
    Location:
    the Netherlands
    Last November, JRViejo mentioned,
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,727
    Location:
    Mexico
    I've sent a pm to JRViejo and Stapp a few minutes ago. Let's see what they say.
     
  11. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    56,508
    Location:
    U.S.A.
    Due to the recent Xenforo forum software update, we have asked for Admin clarification on this matter. Please be patient.
     
  12. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    The only difference is that there are now two false positive scenarios (detailed in the new "documentation") which shouldn't be blocked.
    Both HMP.A and AppCheck results still show "InsideCryptor" as Vulnerable although they have been blocked (should have fixed that bug by now). Both blocked "Archiver" and correctly let remover run.
     

    Attached Files:

  13. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,764
    I get vastly different results using the latest version. Avast in hardened mode scored only 4/10 blocks. And ZAM 0/10.
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,474
    Location:
    Paris
    Although RanSim is both innocuous and fun to use, I feel that they were a bit too cute with this version. My issue is with what they consider "False Positives". They include two in this version:

    1). The first is what amounts to a script that deletes files. Granted that ransomware will not work by deleting files initially (one can't ransom something that no longer exists), many destructive Scriptors (KillFile, KillDisk, CS Rootkit Analyzer) will work this way. So if whatever security solution you are testing against RanSim stops this process, it is far, far from a "False Positive". It is a good thing.

    2). This one was troubling. RanSim will attempt to archive files via gzip. If your security solution stops this it would (according to RanSim) be considered a FP fail. Sadly what the developers either forgot or are ignorant of, certain ransomware (rare, but extent, an example being the original BART) will operate by just this mechanism. I've documented this in a number of my videos- the ransomware will archive the targeted files while simultaneously password protecting these archives. Paying the ransom will hopefully provide you with these passwords. Once again, stopping this process if far, far from a False Positive- it is actually Protection.

    So guys- if whatever your favorite security application is "failed" in the RanSim FP section, understand that this would be a very good thing (I think KnowBe4 are getting too Full of themselves).
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    CS do you think that is only because the most wanted by the FBI in the past works for this company? Kevin Mitnick. the guru of social engineering. the programs I have installed won't even let me install this program which is a plus s far as I am concerned. even if I disabled all my protection , I would only install this in shadow mode.
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,782
    Thanks.
    So they added a new "False Positive-feature" in v1.0.3.4 but haven't fixed the "InsideCryptor"-bug from the previous version:
     
  17. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    56,508
    Location:
    U.S.A.
    Nothing has changed! It is still 5 days for the majority of members.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,474
    Location:
    Paris
    BoreDog- having a former Blackhat as part of a Startup security company is fairly standard in the US. Normally you will have a money man, then another (often someone recently retired from the military for Gravitas), and a Blackhat who actually knows malware and security. My issue wasn't with the application itself (which is safe), but with the conclusions a newbie may draw from the False Positive portion. I think Kevin may be spending too much time on his yacht and forgot about BART.

    But the thing one must remember is that these test simulators are but a fun way to pass a boring afternoon and should not be viewed as the Word of God.

    ps- the BEST way to get a really good job at a Security Startup is to be arrested for computer crimes. The younger one is at the time of arrest, the better (I'm very serious about this).
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Absolutely... I could not agree more, thank you CS!

    Besides, false positives were simply an annoyance before ransomware, now they are a requirement ;). Basically, there should be no discussion of false positives until the security product can demonstrate an efficacy approaching 100%.
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    New version 1.1.0.7 available. This has the same test scenarios as the last version but laid out differently. The real difference is after Ransim has been run you have the option to add your own custom folders.
     

    Attached Files:

  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,782
    New version available - RanSim Ransomware Simulator v1.1.0.76
    no changelog available
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.