Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 21 subscribers
  • Views 5925 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ransomware Simulation Too (simulation of real ransomware and cryptomining infections)

CORE

Hi,

We ran a ransomware simulation tool on our network to test some infection scenarios and found that our Sophos anti-virus did not pickup the following varieties:

Collaborator

Encrypts files similarly to a common version of Critroni. However, it relies on different processes for file enumeration, movement and deletion.                             

Injector    

Encrypts files by injecting the encryption code into a legitimate process using a common approach.                          

ReflectiveInjector          

Encrypts files by injecting the encryption code into a legitimate process using an advanced approach.                          

SlowCryptor        Simulates the behavior of a ransomware variant that encrypts files slowly, to avoid detection by security products.     



This thread was automatically locked due to age.
Parents
  • +1

    The challenge is that RanSim is a simulation, specifically one that isn't always faithful to how real-world ransomware works. There may be methods that ransomware could hypothetically use (but typically doesn't in the real world) that CryptoGuard in Intercept X doesn't block. In a real world situation, a lot of other layers of Intercept X would come into play: web protection, machine learning, reputation, etc. But, since we're allowing RanSim itself to run (it's a simulator, not malware), we're limited to evaluating its behaviors and trying to decide if they look like real malware. In some cases, they don't.

Reply
  • +1

    The challenge is that RanSim is a simulation, specifically one that isn't always faithful to how real-world ransomware works. There may be methods that ransomware could hypothetically use (but typically doesn't in the real world) that CryptoGuard in Intercept X doesn't block. In a real world situation, a lot of other layers of Intercept X would come into play: web protection, machine learning, reputation, etc. But, since we're allowing RanSim itself to run (it's a simulator, not malware), we're limited to evaluating its behaviors and trying to decide if they look like real malware. In some cases, they don't.

Children
Unfiltered HTML