EDR: Why Does EDR Not Detect RanSim Ransomware Simulator?
Article ID: 287371
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Why does EDR not detect KnowBe4's RanSim ransomware simulator?
Environment
- EDR Server: All Supported Versions
Resolution
- The actions done by this software are, simply dropping arbitrary documents into a folder that it creates and encrypts using a known routine. It expects security products to catch those actions. With the case of EDR, these actions aren't taking effect on user files and aren't seen as inherently malicious.
- AV solutions that are effective are those that have signatures designed for the encryption, or ransomware, routines used by RanSim. They see a routine loaded into memory, recognize it as a routine used by known malware, and then block the operations. In this case, as it pertains to our detections, we trigger on the encryption of actual user directories, not an arbitrary directory of files using a specific set of code. With CBC we do prevent the encryption of user files but not in the ways that RanSim is used to test traditional AV.
Feedback
Yes
No
Powered by
