Help creating a ransomware simulator

  • 27 October 2018
  • 1 reply

We want to demonstrate the need for Webroot to prospective customers who use traditional AV software. So I wrote a simple "ransomware" program that only affects a test folder. It is a compiled .exe program that:
  1. Reads files one at a time from a test folder (c:userspublicvideos est)
  2. Encrypts the file contents.
  3. Writes the file to filename.txt.crypt.
  4. Deletes the file.
My expectation was that Webroot would see that a new .exe program was encrypting and deleting files and block it, but it did not. I have run the program from a Command Prompt window, from Windows Explorer and from a Desktop shortcut.
I also ran this ransomware simulator on a VM protected by a dedicated anti-ransomware program, CryptoDrop, but it, too, allowed the deletions. As I am not an experienced white hat hacker, I am sure I am missiing something.
I am aware of KnowBe4's RanSim ransomware simulator, but by now it is well known to signature-based antivirus products. I'd like to be able to create a simple, safe, new simulated ransomware program that Webroot will block. It is easy enough to limit its effect to a single specified user folder for safety, but perhaps that prevents it from being detected.
Your ideas are much appreciated!

1 reply

Userlevel 7
Badge +25
Hey Andy,
We actually don't condone private testing discussions by end-users as stated here:
However, I do think we have a solution for you since you created it yourself and are doing this in a VM. If this is a monitored executable that you would like us to detect (utilities > system control > control active process) please open a ticket here:
Please use the email associated with the keycode used on the VM - opening a ticket directly from the agent will also provide us a copy of the scan log.
We should be able to analyze the files you created and then detect them