KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.
RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.
Here's how RanSim works:
NOTE: Created for Windows-based workstations running Windows 7+. RanSim does not alter any existing files on disk. As part of the simulation RanSim does enumerate all files on the local disk(s). For the purposes of encryption, simulated data files are downloaded from the Internet.
Ransomware is defined as vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.
STEP 1: Disconnect Everything - Unplug the infected computer(s) from network, and turn off any wireless functionality: Wi-Fi, Bluetooth, NFC.
STEP 2: Determine the Scope of the Infection, Check the Following for Signs of Encryption:
a. Mapped or shared drives
b. Mapped or shared folders from other computers
c. Network storage devices of any kind
d. External Hard Drives
e. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
f. Cloud-based storage: DropBox, Google Drive, OneDrive etc.
STEP 3: Determine if data or credentials have been stolen - Check logs and DLP software for any and all signs of data leaks. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files. Look for malware, tools, and scripts which could have been used to look for and copy data. One of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen.
STEP 4: Determine Ransomware Strain - What strain/type of ransomware? For example: Ryuk, Dharma, SamSam, etc.
STEP 5: Determine Response - Now that you know the scope of the damage as well as the strain of ransomware you are dealing with, you can make a more informed decision as to what your next action will be. There are many response types, here is a summary of potential responses:
Response 1: If Data or Credentials are Stolen 1. Determine if ransom should be paid to prevent data or credentials from being released by hackers. 2. If ransom is to be paid, you can skip steps #1 and #3 of Response 2 from recovery.
Response 2: If Ransom Is Not Paid and You Need to Restore Your Files From Backup 1. Locate your backups a. Ensure all files you need are there. b. Verify integrity of backups (i.e. media not reading or corrupted files). c. Check for Shadow Copies if possible (may not be an option on newer ransomware). d. Check for any previous versions of files that may be stored on cloud storage e.g. DropBox, Google Drive, OneDrive. 2. Remove the ransomware from your infected system. 3. Restore your files from backups. 4. Determine infection vector & handle.
Response 3: Try to Decrypt 1. Determine strain and version of the ransomware if possible 2. Locate a decryptor, there may not be one for newer strains. If successful, continue steps... 3. Attach any storage media that contains encrypted files (hard drives, USB sticks etc.) 4. Decrypt files 5. Determine the infection vector & handle.
Response 4: Do Nothing (Lose Files) 1. Remove the ransomware 2. Backup your encrypted files for possible future decryption (optional).
Response 5: Negotiate and/or Pay the Ransom 1. If possible, you may attempt to negotiate a lower ransom and/or longer payment period. 2. Determine acceptable payment methods for the strain of ransomware: Bitcoin, Cash Card etc. 3. Obtain payment, likely Bitcoin: a. Locate an exchange you wish to purchase a Bitcoin through (time is of the essence). b. Set up account/wallet and purchase the Bitcoin. 4. Re-connect your encrypted computer to the internet. 5. Install the TOR browser (optional). 6. Determine the Bitcoin payment address. This is either located in the ransomware screen or on a TOR site that has been set up for this specific ransom case. 7. Pay the ransom: Transfer the Bitcoin to the ransom wallet. 8. Ensure all devices that have encrypted files are connected to your computer. 9. File decryption should begin within 24 hours, but often within just a few hours. 10. Determine infection vector and handle.
STEP 6: Protecting Yourself in the Future - Develop and implement a Ransomware prevention checklist, specific to your organization, to prevent future attacks.
If you'd like, you can perform additional checks by clicking the Check Now button again. After running your first analysis, you can optionally add your own test files to the test files folder. Those files will be used in any additional checks you perform with RanSim, to see if they are vulnerable to encryption by a ransomware attack.
See the full RanSim Product Manual for more details.
It’s a given that ransomware is here to stay for the foreseeable future. It’s not new, so organizations should be pretty well-versed in how to stave an attack, as well as how to remediate one should it successfully encrypt the organization’s data and/or systems. However, attacks have changed in recent years so these are the best prevention steps to take:
Once RanSim has finished running all of the test scenarios, you can download a CSV file of the information you found after launching RanSim. This CSV can be used to compare how your files hold up against the various ransomware attacks. You can find the download link in the top right corner of the Results page.
These results can be used to secure any documents and files that failed any of these simulated tests. Implementing security awareness training to prepare your users on what they can do to identify a phishing attack will reduce the risk of your organization falling victim to a ransomware attack.
See the full RanSim Product Manual for more details.
Email Vector - By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives a phishing email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.
Drive-by-Download - Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.
Free Software Vector - Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.
One method cybercriminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.
Remote Desktop Protocol (RDP) - Internet-exposed Remote Desktop Protocol (RDP) sessions are another very common means of infecting networks. RDP sessions are used to remotely log in to Windows computers and allow the user to control that computer as if they were sitting in front of it. The technology typically uses port 3389 to communicate, and many organizations allow traffic from the internet through their firewall, so people can remotely access the computer. Hackers have become increasingly skilled at attacking these exposed computers and using them to spread malware within a network. RDP is exploited either due to an unpatched vulnerability or due to password guessing because the victims chose very weak passwords and/or did not enable account lockout protections.
Yes! The emergence of new strains has slowed down, but ransomware has gone nuclear and is getting much more sophisticated. In the early days, hackers mostly targeted consumers, and it would encrypt immediately upon executing. Later on, ransomware gangs realized they would make a lot more money targeting businesses. At first they would spread like a worm through organizations, collecting credentials and encrypting files along the way. Threat actors are now a lot more intelligent in their approach. Once they've gotten in, the malware 'dials home' so that the hacker can do a full analysis on which data is most valuable to their victim, how much they can realistically ask for, and what can they encrypt that will get them a payday sooner.
Most of the ransomware gangs are now exfiltrating your most valuable data and threaten to expose it on publicly available websites as an additional extortion method. Some of these criminals make you pay twice, once for the decryption key, and again to delete the data they have stolen. In the U.S. alone, a single cybersecurity insurance consortium said they are paying $1M per day in ransomware payouts to these criminal gangs.
That figure doesn't include recovery and downtime costs, which can far exceed the cost of the ransom. By now, there are tens of thousands of ransomware victims, including school districts, police departments, and entire cities. It is important to understand that it is not just large organizations that are targeted, small and medium organizations are also at risk.
Cybercriminals constantly use social engineering and update their ransomware themes to stay current. Some themes include the FBI variant, the Internal Revenue Service, and even sadly, now COVID-19 pandemic-themed ransomware. In addition to updating themes, cybercriminals are also developing creative new ways to spread the ransomware. These include offering Ransomware-as-a-Service (RaaS) strains such as “Dot” or “Philadelphia”, where they offer your files back for free if you infect two other organizations. There are even marketing videos on YouTube for some ransomware strains.