Ransomware simulators reveal ‘eye-opening’ weaknesses

Preparation for ransomware often calls to mind a rehearsal of sorts: Execs gathering in a room to deal with the theoretical scenario of an adversary encrypting all their data.

Ransomware prep, however, doesn’t always involve war games in the conference room. There are free tools that offer quick reality-checks on a company’s detection capabilities.

Between a rock and a ransom. In the lore of Star Trek, leaders must face a “Kobayashi Maru” test—a simulation that’s pretty much unbeatable. The no-win situation poses a tough call: rescue a starship under attack or abandon it.

The dilemma is meant to show how one acts in a crisis. That’s how Greg Kras, CPO and chief cloud officer at the security-awareness platform provider KnowBe4, sees the company’s free ransom simulator, known as RanSim. “You’re not going to get an A+,” he said.

The tool imitates 25 attack and encryption patterns of real-world ransomware groups. The set includes Python-based code like “BlackKingdomVariant,” featuring identical code from forums, “PhobosVariant,” which encrypts copies of targeted files and deletes the original files, and “Replacer” code, which overwrites files that have specific extensions, like .docx or .pdf.

RanSim arrives with its own files to simulate the encryption. “We’re not going to go across the network, looking,” said Kras.

In Q2 of 2021, Kevin Tsuei, SVP and information security officer at the Commercial Bank of California, used the tool to test the financial institution’s anti-malware products. The first go-round was not an A+; the bank’s anti-malware tool “failed badly” at the time, according to Tsuei, only blocking 3 of the 21 tests.

“I can do a matrix-based risk assessment. I can go through a questionnaire from the regulators. But when it comes down to it: Does the defense actually work against real-life scenarios? That’s what really matters,” said Tsuei, who switched endpoint-detection vendors (to CrowdStrike) after the test.

A ransomware rise. Recent vendor-driven ransomware reports have revealed that the decades-old cybercrime tactic is still popular and profitable. The cybersecurity company Check Point Software found that 1 out of 10 organizations received ransomware attacks, a figure that increased by 33% compared to 2022. Rapid7 noted about 5,200 reported ransomware cases in 2023. (The average paid ransom in Q3 2023, according to the consulting firm CoveWare: $850,700.)

To keep customers out of the ransomware stat sheet, the cybersecurity vendor Zscaler also provides a free ransomware assessment tool that mimics the phases of an attack: machine compromise, lateral movement on a network, and data exfiltration.

An assessment score may drive remediation steps, said Zscaler SVP of New Initiatives Raj Krishna—say, disabling Remote Desktop Protocol, a common attack vector for ransomware actors.

“Even very sophisticated banks who are supposedly protected: They run it, and it’s eye-opening for them, like: ‘Really, I can exfiltrate source code or credit cards? How?’” Krishna told IT Brew.

Ultimately, the assessment tools provide a reminder that a company needs more defenses than anti-malware—safeguards like VPNs, data-loss-prevention tools, security awareness training, and hardening of Active Directory and software-execution policies, said Kras.

“We need to have multiple layers of security,” Kras told IT Brew, referring to the kind of defense-in-depth required for IT’s no-win scenarios.