EDR: Why Does EDR Not Detect RanSim Ransomware Simulator?

EDR: Why Does EDR Not Detect RanSim Ransomware Simulator?

Environment

  • EDR Server: All Supported Versions

Question

  • Why does EDR not detect KnowBe4's RanSim ransomware simulator?

Answer

  • The actions done by this software are, simply dropping arbitrary documents into a folder that it creates and encrypts using a known routine. It expects security products to catch those actions. With the case of EDR, these actions aren't taking effect on user files and aren't seen as inherently malicious.
  • AV solutions that are effective are those that have signatures designed for the encryption, or ransomware, routines used by RanSim. They see a routine loaded into memory, recognize it as a routine used by known malware, and then block the operations. In this case, as it pertains to our detections, we trigger on the encryption of actual user directories, not an arbitrary directory of files using a specific set of code. With CBC we do prevent the encryption of user files but not in the ways that RanSim is used to test traditional AV.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-18-2021
Views:
92
Contributors