Help creating a ransomware simulator

  • 27 October 2018
  • 1 reply
  • 32 views

We want to demonstrate the need for Webroot to prospective customers who use traditional AV software. So I wrote a simple "ransomware" program that only affects a test folder. It is a compiled .exe program that:


  1. Reads files one at a time from a test folder (c:userspublicvideos est)
  2. Encrypts the file contents.
  3. Writes the file to filename.txt.crypt.
  4. Deletes the file.
My expectation was that Webroot would see that a new .exe program was encrypting and deleting files and block it, but it did not. I have run the program from a Command Prompt window, from Windows Explorer and from a Desktop shortcut.

 

I also ran this ransomware simulator on a VM protected by a dedicated anti-ransomware program, CryptoDrop, but it, too, allowed the deletions. As I am not an experienced white hat hacker, I am sure I am missiing something.

 

I am aware of KnowBe4's RanSim ransomware simulator, but by now it is well known to signature-based antivirus products. I'd like to be able to create a simple, safe, new simulated ransomware program that Webroot will block. It is easy enough to limit its effect to a single specified user folder for safety, but perhaps that prevents it from being detected.

 

Your ideas are much appreciated!

1 reply

Userlevel 7
Badge +22
Hey Andy,

 

We actually don't condone private testing discussions by end-users as stated here:

https://community.webroot.com/t5/Getting-Started-Guides/Community-Guidelines/ta-p/185782

 

However, I do think we have a solution for you since you created it yourself and are doing this in a VM. If this is a monitored executable that you would like us to detect (utilities > system control > control active process) please open a ticket here:

https://detail.webrootanywhere.com/servicewelcome.asp

 

Please use the email associated with the keycode used on the VM - opening a ticket directly from the agent will also provide us a copy of the scan log.

 

We should be able to analyze the files you created and then detect them

 

Thanks!

 

 

 

 

Reply