Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

Any comments or assistance would be greatly appreciated.

Can you share the tool that you ran? Was it the one by KnowBe4? www.knowbe4.com/ransomware-simulator

Yes it was KnowBe4

I just ran the sim and have 3/4 showing as vulnerable.

• Collaborator
• Injector
• SlowCryptor

Yes, I'm getting all three and 'ReflectiveInjector'. Any idea's ?

My assumption is that CryptoGuard has to be mindful of legitimate encryption processes as well. Encryption doesn't always mean malware. If CryptoGuard flagged every encryption attempt we would have many issues. Im curious what exactly the ReflectiveInjector is doing. If there was more insight into this we could see what can be done to help Sophos better detect this technique.

The challenge is that RanSim is a simulation, specifically one that isn't always faithful to how real-world ransomware works. There may be methods that ransomware could hypothetically use (but typically doesn't in the real world) that CryptoGuard in Intercept X doesn't block. In a real world situation, a lot of other layers of Intercept X would come into play: web protection, machine learning, reputation, etc. But, since we're allowing RanSim itself to run (it's a simulator, not malware), we're limited to evaluating its behaviors and trying to decide if they look like real malware. In some cases, they don't.

Thank you

Is it possible to verify that Sophos can protect against all know versions of ransomware?

That's what I was trying to say...lol.

Well explained and makes perfect sense.