RanSim: Test ransomware attacks on your Windows PC - gHacks Tech News

RanSim: Test ransomware attacks on your Windows PC

by Martin Brinkmann on December 28, 2016 in Security - 19 comments

Ransim is a ransomware simulator for Windows that simulates attacks of ten ransomware families against the computer system.

Ransomware is without doubt a relatively new threat category that has gained some prominence in recent time.

Security companies have added ransomware protection to their tools as a response, or released standalone programs with the aim to block ransomware from encrypting files on a computer system.

It is difficult for most users to determine how well anti-ransomware programs protect their systems against ransomware threats. RanSim has been designed to simulate attacks on a computer system to find out if it is protected against ten common ransomware attacks.

RanSim

ransomware simulator

You are asked to fill out information on the developer website before download options are provided. I suggest you download the program from Major Geeks or another third-party download repository instead.

The program makers suggest that you keep your security software configured as is to simulate a real-world attack scenario. This may be problematic however in some cases. The new Malwarebytes Premium for instance blocked the execution of RanSim on target systems.

RanSim's interface is easy to use. It offers information on the ransomware test scenarios, and a single button that you may click on to start the test.

The test should not take longer than a minute to complete. The program will download test files from the Internet, but won't harm any files on the local system. It will enumerate the files though and display information on the vulnerability of these files.

It tests the following ransomware scenarios:

  1. InsideCryptor -- encrypts files using strong encryption and overwrites most of the content of the original files with the encrypted data.
  2. LockyVariant -- simulates the behavior of a recent version of Locky ransomware.
  3. Mover -- Encrypts files in a different folder using strong encryption and safely deletes the original files.
  4. Replacer -- Replaces the content of the original files. A real ransomware would show a message that fools users into thinking they can recover them.
  5. Streamer -- Encrypts files and writes data into a single file, using strong encryption, then deletes the original files.
  6. StrongCryptor -- Encrypts files using strong encryption and safely deletes the original files.
  7. StrongCryptorFast -- Encrypts files using strong encryption and deletes the original files.
  8. StrongCrytptorNet -- Encrypts files using strong encryption and deletes the original files. It also simulates sending the encryption key to a server using an HTTP connection.
  9. ThorVariant -- Simulates the behavior of a recent version of Thor ransomware.
  10. WeakCryptor -- Encrypts files using weak encryption and deletes the original files.

RanSim lists the number of successful and unsuccessful attacks during the test.

Closing Words

Select anti-ransomware software won't block RanSim from execution. This is for instance the case for RansomFree which creates its own dummy files that it monitors. Other security software may block the execution of the application.

This makes the program unusable on those machines. Still, it if works, it may be an eye opener if the anti-ransomware protection does not protect against the simulated attacks.

Now You: Best protection against ransomware?

Summary
software image
Author Rating
1star1star1stargraygray
3.5 based on 3 votes
Software Name
RanSim
Operating System
Windows
Software Category
Security
Landing Page
https://www.knowbe4.com/ransomware-simulator
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Donate via PayPal

Previous Post: «
Next Post: »

Comments

  1. Ben said on December 28, 2016 at 12:27 pm
    Reply

    I don’t understand what this is supposed to do or tell me.
    When I run the exe (or whatever it is) via doubleclicking it can encrypt my HDD.
    Well, duh, of course it can.

    1. Martin Brinkmann said on December 28, 2016 at 12:45 pm
      Reply

      Well the idea is that your security software should interfere with it.

  2. Karol said on December 28, 2016 at 12:43 pm
    Reply

    I think best protection is a brain=knowing internet safety rules. Then a sandbox or virtual machine.

  3. T J said on December 28, 2016 at 12:55 pm
    Reply

    I downloaded the installer from MajorGeeks.

    I installed it and started the program.
    Emsisoft Internet Security quarantined the Ransim file “Launcher.exe” immediately as a Trojan, as did Malwarebytes.
    In consequence, the program would not run.
    I uninstalled the program, then checked the registry. There were 24 Reg Entries for “Knowbe4” and 23 entries for “Ransim” which I removed.

    I did not try to download from the author’s site because there were too many mandatory fields to be completed before I could download.

    1. T J said on December 28, 2016 at 1:23 pm
      Reply

      I forgot to add that this is the first time ever that Emsisoft AND Malwarebytes have quarantined a file simultaneously !!!

      1. Pants said on December 28, 2016 at 2:35 pm
        Reply

        T J – do both Emsisoft and Malwarebytes simultaneously detect an EICAR?

      2. T J said on December 28, 2016 at 5:09 pm
        Reply

        @ Pants

        No Pants, they don’t. That’s why I was surprised.

        Anyway. enough of this software discussion, Enjoy the holidays :)

    2. cdr said on December 30, 2016 at 12:52 am
      Reply

      Zemana antilogger stopped it as it started and deleted the application.

  4. Tom Hawack said on December 28, 2016 at 3:27 pm
    Reply

    Unpleasantly surprised here, not with RanSim but with the defense. Testing showed 2 vulnerabilities out of the 10:

    – InsideCryptor
    – Streamer

    My computer’s defense concerning cryptoware is HitmanPro.Alert 3.6.1 Build 574

    I’m going to have to reconsider a tool I’ve relied on up to now. Quite disappointed, I was truly expecting 0 vulnerabilities.

    Many thanks, Martin, you ruined my day but contributed to my enlightenment :)

    1. Tom Hawack said on December 28, 2016 at 4:28 pm
      Reply

      EDIT, quoting https://www.wilderssecurity.com/threads/ransim-ransomware-simulator-test-and-discussion-thread.390947/

      ” Two notes regarding the current RanSim version 1.0.2.2:
      1. There is a bug in RanSim version 1.0.2.2 that shows “Vulnerable” for the InsideCryptor test scenario result when testing HitmanPro.Alert, while HitmanPro.Alert does protect against InsideCryptor. The HitmanPro.Alert developers contacted KnowBe4 regarding this bug.
      2. Your anti-ransomware solution may not stop the Streamer test scenario. That is not very relevant, as Streamer puts encrypted data into a single archive file, but only deletes the original files, so those can be recovered using recovery software. ”

      Either RanSim 1.0.2.2 is problematic, either HitmanPro.Alert is.

      1. nero said on January 2, 2017 at 10:28 pm
        Reply

        I’m in the same boat as you Tom. Thanks for updating your original post.

      2. Tom Hawack said on January 2, 2017 at 11:16 pm
        Reply

        @nero, you certainly know that RanSim has been updated to version 1.0.2.4 and it seems that now HitmanPro.Alert scores 10/10 blocking.
        But far more important is the fact that the very way RanSim is built may lead in fact to a wrong interpretation. It appears that several anti-crtyptoware applications have included the RanSim executable in their blacklists, which makes RanSim blocked indeed but the RanSim test as well, giving possibly a false sens of security to users who have had their anti-malware/crytoware block RanSim. The intruder are the elements of the test, not RanSim. Nevertheless, HitmanPro.Alert does not block RanSim but it does block the simulated aggression provided by the test, and that, in this case, is relevant.

        I haven’t tested RanSim 1.0.2.4 and I won’t. I remain quite aware on the pertinence of simulation unless carried out with a plethora of parameters and an extensive methodology scheme. I don’t believe RanSim is of that category.

  5. William said on December 29, 2016 at 12:17 am
    Reply

    Thank you for the information. The 100% successful test gave some peace of mind.

    The long wait when RanSim starts running is a little disconcerting but eventually Avast trapped every test before recommending boot test.

    Malwarebytes (Trial) did not intervene at any time during RanSim installation or testing.

    1. Richard L Stevens said on December 29, 2016 at 11:06 pm
      Reply

      Hi, just wanted to clarify are you running Avast Free and it prevented all attacks ? One other reader stated that Malwarebytes did detect but you said it did not ? Just trying to find an AV that actually prevents these from executing.

      Thanks

      1. William said on December 30, 2016 at 12:25 pm
        Reply

        Hi Richard.
        Yes, I am running Avast Free and it detected RanSim all tests. Because Avast intervened first, none of my other security software triggered. I could have temporarily shut down Avast to test further but am happy enough that Avast is responding to the tests.

        Note that RanSim does not attack but simulates an attack.

        After running the tests I uninstalled RanSim.

  6. ilev said on December 29, 2016 at 7:56 am
    Reply

    Not portable, fail.

  7. umpalumpa said on December 29, 2016 at 9:23 am
    Reply

    Hello, can specify location to test? For example network drive? I like to test FSRM protection of network share ( https://fsrm.experiant.ca/ ) Thanks.

  8. MelissaZ said on December 29, 2016 at 3:46 pm
    Reply

    This is a good start, but I agree with a previous poster. Knowledge of cyber threats and the tactics hackers use are the first and possibly the best forms of cyber security.

  9. jaime said on December 31, 2016 at 12:04 am
    Reply

    quioo 360 TS the best !! bloqued all

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!

Advertisement

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

Popular Posts

Advertisement

Recently Updated

This Day in History

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

© 2019 gHacks Technology News. All Rights Reserved.