Ransomware Simulators - A Detailed Analysis

[itman 1,659]

The topic of ransomware simulators keep popping up in the forums; most notably the RanSim product by https://www.knowbe4.com/ransomware-simulator . I would have thought by now Eset would have published an official response to like software. Since they haven't, I will. If Eset approves of my analysis, they can post this reply as a "sticky."

Before I get into general commentary, lets take a detailed look at RanSim. All that I am posting here about RanSim is detailed in its documentation. Users are strongly encouraged to read a product's detail operational documentation before using it.

RanSim creates folders in the user's Documents directory; one for each simulated ransomware attack it will perform. It then proceeds to create test files in each test directory that it will attempt to encrypt. It additionally creates an executable file in each test directory which is the simulated ransomware. Finally, the main RanSim process will initiate each test executable file in the test folder to begin the encryption processing against files contained in the test folder. RanSim determines a failure to be when any existing security software fails to detect the encryption activity by the test folder's executable against any test file in the given test folder.

Before I get into a detail analysis RanSim's methodology, I will make one general statement. There is absolutely nothing malicious occurring in the above activity.

Let's compare RanSim's methodology with how actual ransomware operates:

1. RanSim created its own test files in its own test folders. Ransomware encrypts existing files located in folders within the Users/XXXX/AppData//Documents directory. The permissions granted to these directories are given at the time the respective user profile is created. 

2. RanSim created its own test executables and stored same in its test folders. Ransomware does not store its payload executable in the Users/XXXX/AppData//Documents directory folder. The privileges and/or escalation of same are not sufficient to satisfied the methods employed by today's advanced ransomware.

Back to my general statement about there is absolutely nothing malicious occurring by RanSim activities:

1. It created its test files.

2. It created the test executable.

3. It ran the test executables to perform encryption against its own test files.

None of the above is malicious activity since all activity originated from the same source process against targets it previously created. In reality, the same activity occurs by Window's system processes against registry and systems files that it encrypts for security purposes. Or more appropriately, Microsoft or third party encryption software such as BitLocker, LastPass, VeraCrypt, 7Zip, and AxCrypt to name a few. 

In summary, Eset was 100% correct in totally ignoring RanSim's activities. The main RanSim process is not known or identifiable malware. Neither are any of its test executables or the activities performed by same. Additionally, Eset by ignoring RanSim activities prevented the "mapping" of its internal security mechanisms used to prevent ransomware. It is naïve to assume that ransomware developers are not employing this tool and others like it to perform detailed analysis against existing security software.

Bottom line - if you want to evaluate ransomware effectiveness, stick with the comparative reports done and published by security professionals trained in malware analysis that are employed by certified AV testing organizations.

-EDIT- I forgot to post this. Here is a cross link to a posting I made on Wilders Security: https://www.wilderssecurity.com/threads/interesting-antiransomware-freeware.391031/page-8#post-2643771. It is an article excerpt from an author who has "hit the nail on its head" in regards as to what ransomware detection is all about. Also, about the current state of ransomware and what to expect in the future.

Edited January 23, 2017 by itman

[itman 1,659]

As a follow up to my original posting are the additional comments.

There is a fundamental flaw in simulators such as RanSim. The flaw is that they are simulating post-ransomware infection behavior and totally ignoring the effectiveness of security solutions from preventing the ransomware payload from installing in the first place. I guess the argument made is they are simulating a 0-day ransomware. So lets examine that. Ransomware unlike other malware makes its presence immediately known. So the elapsed time to discovery and mitigation by positive signature detection is relatively a short period of time. The front-end steps performed by ransomware such as script delivery, exploit, drive-by download, etc.  of the malware dropper; establishment of the C&C server connection; etc.. can all be detected by conventional AV security software. Additionally, current ransomware are delivering secondary malware payloads such as password stealers, etc.. totally unrelated to direct encryption activities.

Security solutions that do well in these simulator tests employ behavior analysis to detect the execution of the crypto APIs used in encryption processing. They will generate an alert that such activity is occurring without regard as to whether the activity is malicious or benign. It is then left to the user to decide whether to allow or deny the suspect activity. Some of this software is capable of at least labeling the activity as "suspicious." Such action determination is acceptable for advanced PC users and individuals with PC security training/knowledge. However for the average PC user, such alerts will probably cause confusion with resulting wrong responses and potentially serious system malfunction or malware infection. 

-EDIT- It should also be noted that many behavior based ransomware solutions will always alert regardless of whether the ransomware is known or unknown. In a study done last year by the Polish based AVLab: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf known samples were used:

For testing, we used 28 malicious software files of crypto ransomware. Among others there were: Cerber, CryptXXX, DetoxCrypto, Hitler Ransomware, HolyCrypt, Locky, Numecod, Petya, Jigsaw, Vipasana, Stampado and many others. The study included the total amount of 28 samples collected in a collaboration with independent researchers.

One of the products tested was VoodooShield Pro which is 100% behavior based and employs no signature analysis. For every ransomware sample tested, an alert was generated.

Edited January 24, 2017 by itman

[dwomack 160]

This is excellent!

Well, as I hear so often, people tend to take the word of someone they know over any brand. Honestly, I'm the same way. Depending on the nature of the message, sometimes it just has more weight and credibility when it comes from a user vs a brand. So our deep thanks for going through all of this work and writing out an amazing analysis.

You don't happen to be on Spiceworks do you? This could be a great topic of discussion there (which is already going on in a couple spots in the community) where established AV vendors like ESET are being hit hard for "not performing well" on RanSim.

[itman 1,659]

2 hours ago, dwomack said:

You don't happen to be on Spiceworks do you?

I posted an abbreviated rebuttal on Wilders Security. Somewhat of a waste of time sadly since the "kids" over there don't seem to be able to fully grasp the need for fully integrated and comprehensive security protection. Must be part of the "anti-establishment" wave sweeping the world these days with third party security vendors in the "bullseye." 

Edited February 1, 2017 by itman

[itman 1,659]

I almost forgot to post this.

Last year the Massachusetts Institute of Technology aka MIT conducted an extensive research study into the use of the effectiveness of behavior analysis against computer malware; namely the use of Artificial Intelligence. Using the most advanced known algorithms available, most of which had not been publically disseminated, the best achieved detection rate was 85%. Definitely worth a read:

http://news.mit.edu/2016/ai-system-predicts-85-percent-cyber-attacks-using-input-human-experts-0418

So it behooves security professionals to fully research supporting scientific data before taking the leap into new technology and abandoning known and field proven security protection methods.    

[Karmadyota 0]

On 1/23/2017 at 3:28 AM, itman said:

The topic of ransomware simulators keep popping up in the forums; most notably the RanSim product by https://www.knowbe4.com/ransomware-simulator . I would have thought by now Eset would have published an official response to like software. Since they haven't, I will. If Eset approves of my analysis, they can post this reply as a "sticky."

Before I get into general commentary, lets take a detailed look at RanSim. All that I am posting here about RanSim is detailed in its documentation. Users are strongly encouraged to read a product's detail operational documentation before using it.

RanSim creates folders in the user's Documents directory; one for each simulated ransomware attack it will perform. It then proceeds to create test files in each test directory that it will attempt to encrypt. It additionally creates an executable file in each test directory which is the simulated ransomware. Finally, the main RanSim process will initiate each test executable file in the test folder to begin the encryption processing against files contained in the test folder. RanSim determines a failure to be when any existing security software fails to detect the encryption activity by the test folder's executable against any test file in the given test folder.

Before I get into a detail analysis RanSim's methodology, I will make one general statement. There is absolutely nothing malicious occurring in the above activity.

Let's compare RanSim's methodology with how actual ransomware operates:

1. RanSim created its own test files in its own test folders. Ransomware encrypts existing files located in folders within the Users/XXXX/AppData//Documents directory. The permissions granted to these directories are given at the time the respective user profile is created. 

2. RanSim created its own test executables and stored same in its test folders. Ransomware does not store its payload executable in the Users/XXXX/AppData//Documents directory folder. The privileges and/or escalation of same are not sufficient to satisfied the methods employed by today's advanced ransomware.

Back to my general statement about there is absolutely nothing malicious occurring by RanSim activities:

1. It created its test files.

2. It created the test executable.

3. It ran the test executables to perform encryption against its own test files.

None of the above is malicious activity since all activity originated from the same source process against targets it previously created. In reality, the same activity occurs by Window's system processes against registry and systems files that it encrypts for security purposes. Or more appropriately, Microsoft or third party encryption software such as BitLocker, LastPass, VeraCrypt, 7Zip, and AxCrypt to name a few. 

In summary, Eset was 100% correct in totally ignoring RanSim's activities. The main RanSim process is not known or identifiable malware. Neither are any of its test executables or the activities performed by same. Additionally, Eset by ignoring RanSim activities prevented the "mapping" of its internal security mechanisms used to prevent ransomware. It is naïve to assume that ransomware developers are not employing this tool and others like it to perform detailed analysis against existing security software.

Bottom line - if you want to evaluate ransomware effectiveness, stick with the comparative reports done and published by security professionals trained in malware analysis that are employed by certified AV testing organizations.

-EDIT- I forgot to post this. Here is a cross link to a posting I made on Wilders Security: https://www.wilderssecurity.com/threads/interesting-antiransomware-freeware.391031/page-8#post-2643771. It is an article excerpt from an author who has "hit the nail on its head" in regards as to what ransomware detection is all about. Also, about the current state of ransomware and what to expect in the future.

Really Helpful

 

[novice 20]

On ‎1‎/‎22‎/‎2017 at 4:58 PM, itman said:

The topic of ransomware simulators keep popping up in the forums

Hi, you may be right, but in 100% of the situations when a "simulator" is not being detected by an antivirus, the typical answer is "the simulator did not have a malicious activity , and that's why has not been detected"....