- Reads files one at a time from a test folder (c:userspublicvideos est)
- Encrypts the file contents.
- Writes the file to filename.txt.crypt.
- Deletes the file.
I also ran this ransomware simulator on a VM protected by a dedicated anti-ransomware program, CryptoDrop, but it, too, allowed the deletions. As I am not an experienced white hat hacker, I am sure I am missiing something.
I am aware of KnowBe4's RanSim ransomware simulator, but by now it is well known to signature-based antivirus products. I'd like to be able to create a simple, safe, new simulated ransomware program that Webroot will block. It is easy enough to limit its effect to a single specified user folder for safety, but perhaps that prevents it from being detected.
Your ideas are much appreciated!
We actually don't condone private testing discussions by end-users as stated here:
However, I do think we have a solution for you since you created it yourself and are doing this in a VM. If this is a monitored executable that you would like us to detect (utilities > system control > control active process) please open a ticket here:
Please use the email associated with the keycode used on the VM - opening a ticket directly from the agent will also provide us a copy of the scan log.
We should be able to analyze the files you created and then detect them