Author Topic: Ransim by KnowBe4  (Read 969 times)

0 Members and 1 Guest are viewing this topic.

Offline loungehake

  • Dummy Half
  • Full Member
  • ***
  • Posts: 197
  • Come on lad! You've only got 70 yards to go.
Ransim by KnowBe4
« on: February 11, 2020, 01:01:20 PM »
I have just had the salutary experience of running Ransim by KnowBe4.  15 out of the 16 scenarios succeeded, i.e. from my point of view ransomeware protection failed.  I am running Avast free 19.8.  Just thought I would share this with you.
Windows 7 Ultimate x64, Avast Free 20.2.2401,  Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor, EMET 5.52
Windows 8.1 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware,  OSArmor
Windows 10 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor

ASLR entropy is everything.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Ransim by KnowBe4
« Reply #1 on: February 11, 2020, 03:13:43 PM »
What was the scenario that failed? That's useful information...
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline loungehake

  • Dummy Half
  • Full Member
  • ***
  • Posts: 197
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #2 on: February 11, 2020, 04:54:19 PM »
There are two scenarios that failed: RigSimulator and VirlockVariant.

Behavior Shield seems to become halted during it.

The version of the simulator seems to be 2.0.0.56.

What does effectively protect in this simulation is OSArmor 1.4.3 which blocks everything.  Avast does stop the Crypto Miner.

I have to admit that I am out of my depth running this simulation.
Windows 7 Ultimate x64, Avast Free 20.2.2401,  Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor, EMET 5.52
Windows 8.1 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware,  OSArmor
Windows 10 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor

ASLR entropy is everything.

Offline loungehake

  • Dummy Half
  • Full Member
  • ***
  • Posts: 197
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #3 on: February 12, 2020, 12:45:22 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?
Windows 7 Ultimate x64, Avast Free 20.2.2401,  Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor, EMET 5.52
Windows 8.1 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware,  OSArmor
Windows 10 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor

ASLR entropy is everything.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2775
  • Volunteer
Re: Ransim by KnowBe4
« Reply #4 on: February 12, 2020, 03:13:26 AM »
I should have stated more emphatically that running ransim stopped Behaviour Shield.  This should not happen, should it?  I am surprised that no one took note of this point.  I was a bit taken aback when it happened. This is surely a flaw in Avast.  How do I report a bug?

Sorry - When I initially read your post, that's not the impression I got. My mistake.

You can report scanner bypasses by following the instructions here: https://www.avast.com/bug-bounty
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student.

Offline loungehake

  • Dummy Half
  • Full Member
  • ***
  • Posts: 197
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #5 on: February 12, 2020, 09:40:02 AM »
I have noticed in the past that Behavior Shield seems less robust than it ought to be and others have reported similar issues.  If Behavior Shield is knocked out of action during a busy time, then that is a weakness which could be exploited by malware.  Ransim offers 16 exploits in rapid succession.  I want Behavior Shield to be able to stand up to a battering and it seems to be unable to.  This needs putting right.
Windows 7 Ultimate x64, Avast Free 20.2.2401,  Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor, EMET 5.52
Windows 8.1 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware,  OSArmor
Windows 10 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor

ASLR entropy is everything.

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 64811
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Ransim by KnowBe4
« Reply #6 on: February 12, 2020, 10:43:38 AM »
Hi, the devs are checking it...
Win 8.1 [x64] - Avast PremSec 20.4.2410.BUC [UI.522] - CC 5.65 - EEK - FF ESR 68.9 [NS/AOS/uBO/PB] - TB 68.9 - ASB/ACP/ASL.BUC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 111
Re: Ransim by KnowBe4
« Reply #7 on: February 12, 2020, 12:46:09 PM »
Hi loungehake,

we see that the Behavior Shield is working unexpectedly with the Ransim which may cause that it's stopped during the test. We are working on the fix and we hope it'd be in the Avast 20.1 release.

To the first post you made:
The ransomware test, which you are performing, is wrong because the Ransomware shield should be used in the test which is not a part of Free edition.
We detect the ransomware by the Avast Free but we don't detect simulators by it as it's PUP/Tool not a malware and we look on it this way.

Regards,
PDI

Offline loungehake

  • Dummy Half
  • Full Member
  • ***
  • Posts: 197
  • Come on lad! You've only got 70 yards to go.
Re: Ransim by KnowBe4
« Reply #8 on: February 12, 2020, 12:57:42 PM »
I did say that I was a bit out of my depth. I observed the detection of what seemed to be a PUP. I'm glad to read that Avast recognises simulators for what they are. You have restored my confidence in Avast.

I am very pleased that my naive attempt to use Ransim to test the ransomware resistance of my Windows PCs resulted in the exposure of a fixable bug in Behavior Shield.
« Last Edit: February 14, 2020, 11:40:14 AM by loungehake »
Windows 7 Ultimate x64, Avast Free 20.2.2401,  Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor, EMET 5.52
Windows 8.1 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware,  OSArmor
Windows 10 Pro x64, Avast Free 20.2.2401, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware, OSArmor

ASLR entropy is everything.