Help creating a ransomware simulator


We want to demonstrate the need for Webroot to prospective customers who use traditional AV software. So I wrote a simple "ransomware" program that only affects a test folder. It is a compiled .exe program that:
  1. Reads files one at a time from a test folder (c:userspublicvideos est)
  2. Encrypts the file contents.
  3. Writes the file to filename.txt.crypt.
  4. Deletes the file.
My expectation was that Webroot would see that a new .exe program was encrypting and deleting files and block it, but it did not. I have run the program from a Command Prompt window, from Windows Explorer and from a Desktop shortcut.
 
I also ran this ransomware simulator on a VM protected by a dedicated anti-ransomware program, CryptoDrop, but it, too, allowed the deletions. As I am not an experienced white hat hacker, I am sure I am missiing something.
 
I am aware of KnowBe4's RanSim ransomware simulator, but by now it is well known to signature-based antivirus products. I'd like to be able to create a simple, safe, new simulated ransomware program that Webroot will block. It is easy enough to limit its effect to a single specified user folder for safety, but perhaps that prevents it from being detected.
 
Your ideas are much appreciated!

1 reply

Userlevel 5
Badge +11
Hey Andy,
 
We actually don't condone private testing discussions by end-users as stated here:
https://community.webroot.com/t5/Getting-Started-Guides/Community-Guidelines/ta-p/185782
 
However, I do think we have a solution for you since you created it yourself and are doing this in a VM. If this is a monitored executable that you would like us to detect (utilities > system control > control active process) please open a ticket here:
https://detail.webrootanywhere.com/servicewelcome.asp
 
Please use the email associated with the keycode used on the VM - opening a ticket directly from the agent will also provide us a copy of the scan log.
 
We should be able to analyze the files you created and then detect them
 
Thanks!
 
 
 
 

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings