Jump to content
hake

RanSim by KnowBe4

Recommended Posts

I have just had the salutary experience of running Ransim by KnowBe4.  15 out of the 16 scenarios succeeded, i.e. my antiransomware failed.  I am running MBARW build 278.

Share this post


Link to post
Share on other sites

Greetings,

Thanks for the info.  I'm not sure what methods are being used by the testing tool or how Malwarebytes' Devs and Researchers would expect MBARW to deal with simulations like this, however I will be sure to pass your findings on to the Product team for analysis.

Thanks

Share this post


Link to post
Share on other sites

The Ransim version appears to be 2.0.0.56 and is the latest version at this time.  I suggest that you try it yourself.  I have uploaded it to you.  The key to extract from the zip file is 'knowbe4'.

ransim knowbe4.zip

Share this post


Link to post
Share on other sites

The latest version of RanSim is completely unrealistic and does not simulate the behaviour that real-world ransomware typically exhibits.

More concretely, the latest version of RanSim only encrypts files in a non-standard working directory inside %LocalAppData% (i.e. C:\Users\XYZ\AppData\Local\RSimulator\TestFolder\Tests\XX-Tests) and does not encrypt files in directories where real-world users’ files are typically found (e.g. Desktop, Downloads, Documents, etc.). Therefore, RanSim does not simulate real ransomware behaviour and therefore does not trigger our behaviour-based Anti-Ransomware detection engine. See the attached image.

We have tested Malwarebytes Anti-Ransomware against all ransomware families that RanSim attempts to simulate, and we can confirm that we do detect and block (relying on behaviour, not signatures) the encryption activity of those ransomware families. The only exception is RigSimulator (which simulates a Monero mining rig) which is not ransomware. However, we detect the RigSimulator malware family with our rule-based anti-malware engine.

RanSim.png

Edited by LiquidTension

Share this post


Link to post
Share on other sites

I am sorry to have caused you guys to waste your time.  It did occur to me that MBARW would have reacted as it was designed to do in the face of a real threat.

Share this post


Link to post
Share on other sites

Time not wasted.  If you had not asked the question and showed concern, someone else would have.  We got a chance to respond and everyone is a bit wiser now.  Thank YOU!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.