Ransomware defense is emerging as one of the more important sectors of the security field, with researchers exploring many different paths. One of the key elements of defending against a threat is understanding how it operates, and researchers in the U.K. have now developed a pair of tools that emulate the behavior of ransomware to help defenders protect their systems.

Much of the way that ransomware behaves is virtually identical to how normal malware acts. Infecting machines, looking for data, reporting back to C&C servers. The key difference is its encryption behavior, and understanding how all of that works is key to discovering how to break the chain. So researchers at NCC Group have developed a ransomware simulator that can reproduce the behavior of ransomware on a system to allow defenders to see what kind of damage could happen in a real-world infection.

In its basic form, the simulator will go through a system and enumerate the files on the local system, as well as on any removable and network storage devices.

“For each of these locations, the simulator will look for content accessible to the current user i.e. the ability to read plus delete and/or overwrite,” Donato Ferrante of NCC Group said in a post.

The tool then will produce a report that shows which files would be vulnerable in a ransomware attack on a given system.

But there is also a second mode for the tool, emulation mode, which will go several steps further in simulating a ransomware attack. In that mode, which the user needs to enable manually, the tool will masquerade as a real piece of ransomware, stealing files and encrypting them.

“The ransomware will install a custom extension handler via the Windows Registry to control file open events on locked files. This handler allows the tool to be instantiated when requests to access locked files are made and will prompt the user for a key to unlock the requested file,” Ferrante said.

The emulation mode is meant to help assess the effectiveness of anti-ransomware tools, and Ferrante warns that it could lead to the loss of data on a target system. Trying to figure out the way a piece of ransomware uses encryption and finding ways to circumvent or break it is at the heart of anti-ransomware efforts. Ferrante said the NCC Group’s emulator didn’t go to extremes with its encrypted file container scheme, but made it realistic.

“In our case, we use serialisation to produce a sequence of bytes representing our custom file container object instantiated on the target file data. Serialisation is a powerful process that allows us to freeze the status (/context) of a given object in order to reuse it later on during the same, or even a completely different, programme execution,” Ferrante said.

“Once the data has been serialised an encryption method will take care of producing an encrypted stream ready to be saved on the disk. This encrypted stream will replace the original file after its original data has been securely removed.”

NCC is releasing the tool, in simulator mode only, as open source on GitHub.