RanSim: Test ransomware attacks on your Windows PC
Ransim is a ransomware simulator for Windows that simulates attacks of ten ransomware families against the computer system.
Ransomware is without doubt a relatively new threat category that has gained some prominence in recent time.
Security companies have added ransomware protection to their tools as a response, or released standalone programs with the aim to block ransomware from encrypting files on a computer system.
It is difficult for most users to determine how well anti-ransomware programs protect their systems against ransomware threats. RanSim has been designed to simulate attacks on a computer system to find out if it is protected against ten common ransomware attacks.
RanSim
You are asked to fill out information on the developer website before download options are provided. I suggest you download the program from Major Geeks or another third-party download repository instead.
The program makers suggest that you keep your security software configured as is to simulate a real-world attack scenario. This may be problematic however in some cases. The new Malwarebytes Premium for instance blocked the execution of RanSim on target systems.
RanSim's interface is easy to use. It offers information on the ransomware test scenarios, and a single button that you may click on to start the test.
The test should not take longer than a minute to complete. The program will download test files from the Internet, but won't harm any files on the local system. It will enumerate the files though and display information on the vulnerability of these files.
It tests the following ransomware scenarios:
- InsideCryptor -- encrypts files using strong encryption and overwrites most of the content of the original files with the encrypted data.
- LockyVariant -- simulates the behavior of a recent version of Locky ransomware.
- Mover -- Encrypts files in a different folder using strong encryption and safely deletes the original files.
- Replacer -- Replaces the content of the original files. A real ransomware would show a message that fools users into thinking they can recover them.
- Streamer -- Encrypts files and writes data into a single file, using strong encryption, then deletes the original files.
- StrongCryptor -- Encrypts files using strong encryption and safely deletes the original files.
- StrongCryptorFast -- Encrypts files using strong encryption and deletes the original files.
- StrongCrytptorNet -- Encrypts files using strong encryption and deletes the original files. It also simulates sending the encryption key to a server using an HTTP connection.
- ThorVariant -- Simulates the behavior of a recent version of Thor ransomware.
- WeakCryptor -- Encrypts files using weak encryption and deletes the original files.
RanSim lists the number of successful and unsuccessful attacks during the test.
Closing Words
Select anti-ransomware software won't block RanSim from execution. This is for instance the case for RansomFree which creates its own dummy files that it monitors. Other security software may block the execution of the application.
This makes the program unusable on those machines. Still, it if works, it may be an eye opener if the anti-ransomware protection does not protect against the simulated attacks.
Now You: Best protection against ransomware?
It is 4 years later. Ransomware has evolved. Time to update. Current release of RanSim will simulate 15 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.
Current Major Geeks version, Ransomware Simulator RanSim 1.1.0.7, still noted in description as offering 10 tests. It is 08/13/2017 version.
The KnowBe4 site lists this as freeware but to get it from their site requires a business domain & email. I, as simply a concerned computer/web user was refused. Guess it is not really “free”.
Major Geeks should offer current version & you should update your review for 2020.
Thanks for all your efforts on behalf of us “little guys/gals”. God bless.
quioo 360 TS the best !! bloqued all
This is a good start, but I agree with a previous poster. Knowledge of cyber threats and the tactics hackers use are the first and possibly the best forms of cyber security.
Hello, can specify location to test? For example network drive? I like to test FSRM protection of network share ( https://fsrm.experiant.ca/ ) Thanks.
Not portable, fail.
Thank you for the information. The 100% successful test gave some peace of mind.
The long wait when RanSim starts running is a little disconcerting but eventually Avast trapped every test before recommending boot test.
Malwarebytes (Trial) did not intervene at any time during RanSim installation or testing.
Hi, just wanted to clarify are you running Avast Free and it prevented all attacks ? One other reader stated that Malwarebytes did detect but you said it did not ? Just trying to find an AV that actually prevents these from executing.
Thanks
Hi Richard.
Yes, I am running Avast Free and it detected RanSim all tests. Because Avast intervened first, none of my other security software triggered. I could have temporarily shut down Avast to test further but am happy enough that Avast is responding to the tests.
Note that RanSim does not attack but simulates an attack.
After running the tests I uninstalled RanSim.
Unpleasantly surprised here, not with RanSim but with the defense. Testing showed 2 vulnerabilities out of the 10:
– InsideCryptor
– Streamer
My computer’s defense concerning cryptoware is HitmanPro.Alert 3.6.1 Build 574
I’m going to have to reconsider a tool I’ve relied on up to now. Quite disappointed, I was truly expecting 0 vulnerabilities.
Many thanks, Martin, you ruined my day but contributed to my enlightenment :)
EDIT, quoting https://www.wilderssecurity.com/threads/ransim-ransomware-simulator-test-and-discussion-thread.390947/
” Two notes regarding the current RanSim version 1.0.2.2:
1. There is a bug in RanSim version 1.0.2.2 that shows “Vulnerable” for the InsideCryptor test scenario result when testing HitmanPro.Alert, while HitmanPro.Alert does protect against InsideCryptor. The HitmanPro.Alert developers contacted KnowBe4 regarding this bug.
2. Your anti-ransomware solution may not stop the Streamer test scenario. That is not very relevant, as Streamer puts encrypted data into a single archive file, but only deletes the original files, so those can be recovered using recovery software. ”
Either RanSim 1.0.2.2 is problematic, either HitmanPro.Alert is.
@nero, you certainly know that RanSim has been updated to version 1.0.2.4 and it seems that now HitmanPro.Alert scores 10/10 blocking.
But far more important is the fact that the very way RanSim is built may lead in fact to a wrong interpretation. It appears that several anti-crtyptoware applications have included the RanSim executable in their blacklists, which makes RanSim blocked indeed but the RanSim test as well, giving possibly a false sens of security to users who have had their anti-malware/crytoware block RanSim. The intruder are the elements of the test, not RanSim. Nevertheless, HitmanPro.Alert does not block RanSim but it does block the simulated aggression provided by the test, and that, in this case, is relevant.
I haven’t tested RanSim 1.0.2.4 and I won’t. I remain quite aware on the pertinence of simulation unless carried out with a plethora of parameters and an extensive methodology scheme. I don’t believe RanSim is of that category.
I’m in the same boat as you Tom. Thanks for updating your original post.
I downloaded the installer from MajorGeeks.
I installed it and started the program.
Emsisoft Internet Security quarantined the Ransim file “Launcher.exe” immediately as a Trojan, as did Malwarebytes.
In consequence, the program would not run.
I uninstalled the program, then checked the registry. There were 24 Reg Entries for “Knowbe4” and 23 entries for “Ransim” which I removed.
I did not try to download from the author’s site because there were too many mandatory fields to be completed before I could download.
Zemana antilogger stopped it as it started and deleted the application.
I forgot to add that this is the first time ever that Emsisoft AND Malwarebytes have quarantined a file simultaneously !!!
@ Pants
No Pants, they don’t. That’s why I was surprised.
Anyway. enough of this software discussion, Enjoy the holidays :)
T J – do both Emsisoft and Malwarebytes simultaneously detect an EICAR?
I think best protection is a brain=knowing internet safety rules. Then a sandbox or virtual machine.
I don’t understand what this is supposed to do or tell me.
When I run the exe (or whatever it is) via doubleclicking it can encrypt my HDD.
Well, duh, of course it can.
Well the idea is that your security software should interfere with it.