Author Topic: Ransim by KnowBe4  (Read 3489 times)

0 Members and 1 Guest are viewing this topic.

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Ransim by KnowBe4
« on: February 11, 2020, 01:01:20 PM »
I have just had the salutary experience of running Ransim by KnowBe4.  15 out of the 16 scenarios succeeded, i.e. from my point of view ransomeware protection failed.  I am running Avast free 19.8.  Just thought I would share this with you.
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Ransim by KnowBe4
« Reply #1 on: February 11, 2020, 03:13:43 PM »
What was the scenario that failed? That's useful information...
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #2 on: February 11, 2020, 04:54:19 PM »
There are two scenarios that failed: RigSimulator and VirlockVariant.

Behavior Shield seems to become halted during it.

The version of the simulator seems to be 2.0.0.56.

What does effectively protect in this simulation is OSArmor 1.4.3 which blocks everything.  Avast does stop the Crypto Miner.

I have to admit that I am out of my depth running this simulation.
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #3 on: February 12, 2020, 12:45:22 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Ransim by KnowBe4
« Reply #4 on: February 12, 2020, 03:13:26 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?

Sorry - When I initially read your post, that's not the impression I got. My mistake.

You can report scanner bypasses by following the instructions here: https://www.avast.com/bug-bounty
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #5 on: February 12, 2020, 09:40:02 AM »
I have noticed in the past that Behavior Shield seems less robust than it ought to be and others have reported similar issues.  If Behavior Shield is knocked out of action during a busy time, then that is a weakness which could be exploited by malware.  Ransim offers 16 exploits in rapid succession.  I want Behavior Shield to be able to stand up to a battering and it seems to be unable to.  This needs putting right.
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Ransim by KnowBe4
« Reply #6 on: February 12, 2020, 10:43:38 AM »
Hi, the devs are checking it...
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: Ransim by KnowBe4
« Reply #7 on: February 12, 2020, 12:46:09 PM »
Hi loungehake,

we see that the Behavior Shield is working unexpectedly with the Ransim which may cause that it's stopped during the test. We are working on the fix and we hope it'd be in the Avast 20.1 release.

To the first post you made:
The ransomware test, which you are performing, is wrong because the Ransomware shield should be used in the test which is not a part of Free edition.
We detect the ransomware by the Avast Free but we don't detect simulators by it as it's PUP/Tool not a malware and we look on it this way.

Regards,
PDI

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #8 on: February 12, 2020, 12:57:42 PM »
I did say that I was a bit out of my depth. I observed the detection of what seemed to be a PUP. I'm glad to read that Avast recognises simulators for what they are. You have restored my confidence in Avast.

I am very pleased that my naive attempt to use Ransim to test the ransomware resistance of my Windows PCs resulted in the exposure of a fixable bug in Behavior Shield.
« Last Edit: February 14, 2020, 11:40:14 AM by loungehake »
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware