Author Topic: Ransim by KnowBe4  (Read 1163 times)

0 Members and 1 Guest are viewing this topic.

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 227
  • Come on lad! You've only got 70 yards to go.
Ransim by KnowBe4
« on: February 11, 2020, 01:01:20 PM »
I have just had the salutary experience of running Ransim by KnowBe4.  15 out of the 16 scenarios succeeded, i.e. from my point of view ransomeware protection failed.  I am running Avast free 19.8.  Just thought I would share this with you.
Windows XP SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, OSArmor, Comodo Memory Firewall
Windows 7 Ultimate x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor, EMET 5.52 (to ensure that ASLR is always ON)
Windows 8.1 Pro x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor
Windows 10 Pro x64 1909/2004, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2779
  • Volunteer
Re: Ransim by KnowBe4
« Reply #1 on: February 11, 2020, 03:13:43 PM »
What was the scenario that failed? That's useful information...
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 227
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #2 on: February 11, 2020, 04:54:19 PM »
There are two scenarios that failed: RigSimulator and VirlockVariant.

Behavior Shield seems to become halted during it.

The version of the simulator seems to be 2.0.0.56.

What does effectively protect in this simulation is OSArmor 1.4.3 which blocks everything.  Avast does stop the Crypto Miner.

I have to admit that I am out of my depth running this simulation.
Windows XP SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, OSArmor, Comodo Memory Firewall
Windows 7 Ultimate x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor, EMET 5.52 (to ensure that ASLR is always ON)
Windows 8.1 Pro x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor
Windows 10 Pro x64 1909/2004, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 227
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #3 on: February 12, 2020, 12:45:22 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?
Windows XP SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, OSArmor, Comodo Memory Firewall
Windows 7 Ultimate x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor, EMET 5.52 (to ensure that ASLR is always ON)
Windows 8.1 Pro x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor
Windows 10 Pro x64 1909/2004, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2779
  • Volunteer
Re: Ransim by KnowBe4
« Reply #4 on: February 12, 2020, 03:13:26 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?

Sorry - When I initially read your post, that's not the impression I got. My mistake.

You can report scanner bypasses by following the instructions here: https://www.avast.com/bug-bounty
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 227
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #5 on: February 12, 2020, 09:40:02 AM »
I have noticed in the past that Behavior Shield seems less robust than it ought to be and others have reported similar issues.  If Behavior Shield is knocked out of action during a busy time, then that is a weakness which could be exploited by malware.  Ransim offers 16 exploits in rapid succession.  I want Behavior Shield to be able to stand up to a battering and it seems to be unable to.  This needs putting right.
Windows XP SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, OSArmor, Comodo Memory Firewall
Windows 7 Ultimate x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor, EMET 5.52 (to ensure that ASLR is always ON)
Windows 8.1 Pro x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor
Windows 10 Pro x64 1909/2004, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 66723
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Ransim by KnowBe4
« Reply #6 on: February 12, 2020, 10:43:38 AM »
Hi, the devs are checking it...
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 115
Re: Ransim by KnowBe4
« Reply #7 on: February 12, 2020, 12:46:09 PM »
Hi loungehake,

we see that the Behavior Shield is working unexpectedly with the Ransim which may cause that it's stopped during the test. We are working on the fix and we hope it'd be in the Avast 20.1 release.

To the first post you made:
The ransomware test, which you are performing, is wrong because the Ransomware shield should be used in the test which is not a part of Free edition.
We detect the ransomware by the Avast Free but we don't detect simulators by it as it's PUP/Tool not a malware and we look on it this way.

Regards,
PDI

Offline loungehake

  • Dummy Half
  • Sr. Member
  • ****
  • Posts: 227
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #8 on: February 12, 2020, 12:57:42 PM »
I did say that I was a bit out of my depth. I observed the detection of what seemed to be a PUP. I'm glad to read that Avast recognises simulators for what they are. You have restored my confidence in Avast.

I am very pleased that my naive attempt to use Ransim to test the ransomware resistance of my Windows PCs resulted in the exposure of a fixable bug in Behavior Shield.
« Last Edit: February 14, 2020, 11:40:14 AM by loungehake »
Windows XP SP3, Avast Free 10.4.2233, Agnitum Outpost Firewall Pro 9.3, Malwarebytes Anti-Exploit, OSArmor, Comodo Memory Firewall
Windows 7 Ultimate x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor, EMET 5.52 (to ensure that ASLR is always ON)
Windows 8.1 Pro x64, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor
Windows 10 Pro x64 1909/2004, Avast Free 20.7.2425, Malwarebytes Anti-Exploit, OSArmor