RanSim: Test ransomware attacks on your Windows PC

Ransim is a ransomware simulator for Windows that simulates attacks of ten ransomware families against the computer system.

Ransomware is without doubt a relatively new threat category that has gained some prominence in recent time.

Security companies have added ransomware protection to their tools as a response, or released standalone programs with the aim to block ransomware from encrypting files on a computer system.

It is difficult for most users to determine how well anti-ransomware programs protect their systems against ransomware threats. RanSim has been designed to simulate attacks on a computer system to find out if it is protected against ten common ransomware attacks.

RanSim

ransomware simulator

You are asked to fill out information on the developer website before download options are provided. I suggest you download the program from Major Geeks or another third-party download repository instead.

The program makers suggest that you keep your security software configured as is to simulate a real-world attack scenario. This may be problematic however in some cases. The new Malwarebytes Premium for instance blocked the execution of RanSim on target systems.

RanSim's interface is easy to use. It offers information on the ransomware test scenarios, and a single button that you may click on to start the test.



The test should not take longer than a minute to complete. The program will download test files from the Internet, but won't harm any files on the local system. It will enumerate the files though and display information on the vulnerability of these files.

It tests the following ransomware scenarios:

  1. InsideCryptor -- encrypts files using strong encryption and overwrites most of the content of the original files with the encrypted data.
  2. LockyVariant -- simulates the behavior of a recent version of Locky ransomware.
  3. Mover -- Encrypts files in a different folder using strong encryption and safely deletes the original files.
  4. Replacer -- Replaces the content of the original files. A real ransomware would show a message that fools users into thinking they can recover them.
  5. Streamer -- Encrypts files and writes data into a single file, using strong encryption, then deletes the original files.
  6. StrongCryptor -- Encrypts files using strong encryption and safely deletes the original files.
  7. StrongCryptorFast -- Encrypts files using strong encryption and deletes the original files.
  8. StrongCrytptorNet -- Encrypts files using strong encryption and deletes the original files. It also simulates sending the encryption key to a server using an HTTP connection.
  9. ThorVariant -- Simulates the behavior of a recent version of Thor ransomware.
  10. WeakCryptor -- Encrypts files using weak encryption and deletes the original files.
Read also:  MBRFilter protects the Master Boot Record against manipulation

RanSim lists the number of successful and unsuccessful attacks during the test.

Closing Words

Select anti-ransomware software won't block RanSim from execution. This is for instance the case for RansomFree which creates its own dummy files that it monitors. Other security software may block the execution of the application.

This makes the program unusable on those machines. Still, it if works, it may be an eye opener if the anti-ransomware protection does not protect against the simulated attacks.

Now You: Best protection against ransomware?

Summary
Author Rating
3.5 based on 3 votes
Software Name
RanSim
Operating System
Windows
Software Category
Security
Landing Page

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to RanSim: Test ransomware attacks on your Windows PC

  1. Ben December 28, 2016 at 12:27 pm #

    I don't understand what this is supposed to do or tell me.
    When I run the exe (or whatever it is) via doubleclicking it can encrypt my HDD.
    Well, duh, of course it can.

    • Martin Brinkmann December 28, 2016 at 12:45 pm #

      Well the idea is that your security software should interfere with it.

  2. Karol December 28, 2016 at 12:43 pm #

    I think best protection is a brain=knowing internet safety rules. Then a sandbox or virtual machine.

  3. T J December 28, 2016 at 12:55 pm #

    I downloaded the installer from MajorGeeks.

    I installed it and started the program.
    Emsisoft Internet Security quarantined the Ransim file "Launcher.exe" immediately as a Trojan, as did Malwarebytes.
    In consequence, the program would not run.
    I uninstalled the program, then checked the registry. There were 24 Reg Entries for "Knowbe4" and 23 entries for "Ransim" which I removed.

    I did not try to download from the author's site because there were too many mandatory fields to be completed before I could download.

    • T J December 28, 2016 at 1:23 pm #

      I forgot to add that this is the first time ever that Emsisoft AND Malwarebytes have quarantined a file simultaneously !!!

      • Pants December 28, 2016 at 2:35 pm #

        T J - do both Emsisoft and Malwarebytes simultaneously detect an EICAR?

      • T J December 28, 2016 at 5:09 pm #

        @ Pants

        No Pants, they don't. That's why I was surprised.

        Anyway. enough of this software discussion, Enjoy the holidays :)

    • cdr December 30, 2016 at 12:52 am #

      Zemana antilogger stopped it as it started and deleted the application.

  4. Tom Hawack December 28, 2016 at 3:27 pm #

    Unpleasantly surprised here, not with RanSim but with the defense. Testing showed 2 vulnerabilities out of the 10:

    - InsideCryptor
    - Streamer

    My computer's defense concerning cryptoware is HitmanPro.Alert 3.6.1 Build 574

    I'm going to have to reconsider a tool I've relied on up to now. Quite disappointed, I was truly expecting 0 vulnerabilities.

    Many thanks, Martin, you ruined my day but contributed to my enlightenment :)

    • Tom Hawack December 28, 2016 at 4:28 pm #

      EDIT, quoting https://www.wilderssecurity.com/threads/ransim-ransomware-simulator-test-and-discussion-thread.390947/

      " Two notes regarding the current RanSim version 1.0.2.2:
      1. There is a bug in RanSim version 1.0.2.2 that shows "Vulnerable" for the InsideCryptor test scenario result when testing HitmanPro.Alert, while HitmanPro.Alert does protect against InsideCryptor. The HitmanPro.Alert developers contacted KnowBe4 regarding this bug.
      2. Your anti-ransomware solution may not stop the Streamer test scenario. That is not very relevant, as Streamer puts encrypted data into a single archive file, but only deletes the original files, so those can be recovered using recovery software. "

      Either RanSim 1.0.2.2 is problematic, either HitmanPro.Alert is.

      • nero January 2, 2017 at 10:28 pm #

        I'm in the same boat as you Tom. Thanks for updating your original post.

      • Tom Hawack January 2, 2017 at 11:16 pm #

        @nero, you certainly know that RanSim has been updated to version 1.0.2.4 and it seems that now HitmanPro.Alert scores 10/10 blocking.
        But far more important is the fact that the very way RanSim is built may lead in fact to a wrong interpretation. It appears that several anti-crtyptoware applications have included the RanSim executable in their blacklists, which makes RanSim blocked indeed but the RanSim test as well, giving possibly a false sens of security to users who have had their anti-malware/crytoware block RanSim. The intruder are the elements of the test, not RanSim. Nevertheless, HitmanPro.Alert does not block RanSim but it does block the simulated aggression provided by the test, and that, in this case, is relevant.

        I haven't tested RanSim 1.0.2.4 and I won't. I remain quite aware on the pertinence of simulation unless carried out with a plethora of parameters and an extensive methodology scheme. I don't believe RanSim is of that category.

  5. William December 29, 2016 at 12:17 am #

    Thank you for the information. The 100% successful test gave some peace of mind.

    The long wait when RanSim starts running is a little disconcerting but eventually Avast trapped every test before recommending boot test.

    Malwarebytes (Trial) did not intervene at any time during RanSim installation or testing.

    • Richard L Stevens December 29, 2016 at 11:06 pm #

      Hi, just wanted to clarify are you running Avast Free and it prevented all attacks ? One other reader stated that Malwarebytes did detect but you said it did not ? Just trying to find an AV that actually prevents these from executing.

      Thanks

      • William December 30, 2016 at 12:25 pm #

        Hi Richard.
        Yes, I am running Avast Free and it detected RanSim all tests. Because Avast intervened first, none of my other security software triggered. I could have temporarily shut down Avast to test further but am happy enough that Avast is responding to the tests.

        Note that RanSim does not attack but simulates an attack.

        After running the tests I uninstalled RanSim.

  6. ilev December 29, 2016 at 7:56 am #

    Not portable, fail.

  7. umpalumpa December 29, 2016 at 9:23 am #

    Hello, can specify location to test? For example network drive? I like to test FSRM protection of network share ( https://fsrm.experiant.ca/ ) Thanks.

  8. MelissaZ December 29, 2016 at 3:46 pm #

    This is a good start, but I agree with a previous poster. Knowledge of cyber threats and the tactics hackers use are the first and possibly the best forms of cyber security.

  9. jaime December 31, 2016 at 12:04 am #

    quioo 360 TS the best !! bloqued all

Leave a Reply