KnowBe4 RanSim


#1

I tried RanSim and it initially showed 5 vulnerabilities. I then tried it with WinAntiRansom. Replacer.exe was flagged. I clicked Allow Next Time and when the test completed there were 0/5 vulnerabilities but also 0/5 Invulnerable. I’m not sure where I stand. From the FAQ I gather that replacer.exe is needed to complete the test, so do my results indicate that the test really hasn’t been completed, or what?


(Gary Kennington) #2

Have also tried this today, and for one laptop with folder redirection on the documents folder, it would not install. However, on the Microsoft Surface Pro 4 and one other laptop I tried it ran, and showed the 5 vulnerabilities. What would be useful is a guide to how to get your antivirus, or other software, to be able to block the individual tests, for a before and after scenario. It shows we are vulnerable, but not how to stop this type of attack if it were real!


(Brett Olson) #3

I did the same on a win10 64bit, user has Symantec Endpoint Protection SBE 3.00.012705 and NIS-22.6.4.5. Not sure what or how you would mitigate this with the tool used. It would be helpful to give some explanations on how or why scenarios pass or fail.


#4

Ran today on 64-bit VM Windows 7 with Crowdstrike protection active. Shows 5/5 vulnerabilities. Crowdstrike is an end-point behavioral analysis, machine learning tool. Surprised it did not pick up on this unless the “mock” ransomware is triggering behavior issues. We also have McAfee EPO on our SAN/VMs and it did not pick up on the files written. Would be good to know more about how the tool works to make sure it should trigger detections.


(Alini) #5

Hi! Here’s some documentation describing the simulation scenarios: https://knowbe4.zendesk.com/hc/en-us/articles/229040167-RanSim - “how it works” and the “test scenarios” sections.


#6

I agree with all the previous replies. It would be nice to have some insight, other than what is posted so far, on getting your AV to stop this if it were a real attack. Telling us we’re broken makes us aware we need to do something, but there is no helpful information on how to mitigate the problem.


#7

WinAntiRansom blocks almost all executables which are not run from Windows or Program files folders, no matter if they are related to ransomware or not. This is part of their “preemptive strike” module. From your post my best guess is that WinAntiRansom blocked at least one critical executable of Ransim, most probably datacollector.exe, which doesn’t perform any ransomware-like activity. In order to be able to assess the effectiveness of WinAntiRansom against the ransomware scenarios, make sure ransim.exe, launcher.exe and datacollector.exe are allowed to run. These processes do not perform ransomware activities, but they set the stage for the test, collect the results and show them in the UI.


(Rod) #8

Our AV (BitDefender) didn’t block any of the simulations. Also have Bitdefender Antiransomware and CryptoPrevent installed.


(Rod) #9

Malwarebytes Antiransomware blocked 3 of the 5 tests. It’s still a beta app though.

https://forums.malwarebytes.org/topic/177751-introducing-malwarebytes-anti-ransomware-beta/


(Rod) #10

I updated Bitdefender GravityZone to version 6, which includes a new feature call Ransomware Vaccine. This new feature is blocking the 5 tests that RanSim runs.


(Ray) #11

I ran RanSim on a Win 10 machine with only MS Security Essentials. - 5/5 Vulnerable

I installed Malwarebytes Anti-Ransomware Bets - 3/5 Vulnerable

I removed Malwarebytes, rebooted, and installed Kaspersky Anti-Ransomware Tool for Businesses - 2/5 Vulnerable

Bitdefender’s Free Anti-Crypto Vaccine & Anti-Ransomware - 5/5 Vulnerable


#12

I use software restriction policy with application whitelisting, so in a similar way to WinAntiRansom the RanSimSetup.exe would not normally be allowed to run but would have to be run as a local administrator - but this would then give the RanSIM tool admin access to run the tests which would not be a real life scenario (users do not have admin access).