Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

Question

Hi, 
 We ran a ransomware simulation tool on our network to test some infection scenarios and found that our Sophos anti-virus did not pickup the following varieties: 
 Collaborator 
 Encrypts files similarly to a common version of Critroni. However, it relies on different processes for file enumeration, movement and deletion. 
 Injector 
 Encrypts files by injecting the encryption code into a legitimate process using a common approach. 
 ReflectiveInjector 
 Encrypts files by injecting the encryption code into a legitimate process using an advanced approach. 
 SlowCryptor Simulates the behavior of a ransomware variant that encrypts files slowly, to avoid detection by security products.

Maxim-Sophos · Accepted Answer

The challenge is that RanSim is a simulation, specifically one that isn't always faithful to how real-world ransomware works. There may be methods that ransomware could hypothetically use (but typically doesn't in the real world) that CryptoGuard in Intercept X doesn't block. In a real world situation, a lot of other layers of Intercept X would come into play: web protection, machine learning, reputation, etc. But, since we're allowing RanSim itself to run (it's a simulator, not malware), we're limited to evaluating its behaviors and trying to decide if they look like real malware. In some cases, they don't.

Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

Top Replies