This write-up is divided into three parts:
The Attack: Understanding Ransomware
A breakdown of how ransomware operates, from initial access to encryption.
How EDR Solutions Work and Detect Threats
An overview of how Endpoint Detection and Response (EDR) tools identify, analyze, and mitigate ransomware behavior.
~How Breach and Attack Simulation (BAS) Technology Mimics Attacks
A deep dive into how BAS platforms simulate ransomware attacks without causing real damage to user data or system files.
The Attack: Understanding Ransomware
What Happens When Ransomware Executes?
When ransomware is executed, its behavior varies depending on the type. Some variants are self-contained, such as locker ransomware, which restricts access to the system. Others are network-aware worms, like WannaCry or Ryuk, capable of spreading across connected systems.
Regardless of the variant, most ransomware follows a common chain of actions. Here’s a breakdown of what typically happens post-execution:
Step-by-Step: What Ransomware Does After Execution
Initial Setup and Evasion
Runs in memory
Anti-VM & anti-sandbox checks
Kills security processes (EDRs, AVs)
Escalates privilege (UAC bypass or exploits)Persistence
Modifies registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creates scheduled tasks or service
Drops itself in temp folders or %APPDATA%File Discovery and Target Enumeration
Scans file systems for target file extensions:
.doc, .xls, .pdf, .jpg, .db, .pst, etc.
Skips system folders sometimes to avoid crashing system (smart ones do).
- Searches connected media including
USB drives
Mapped Network drive
Mounted shares
- Once suitable targets are identified, the ransomware proceeds to encrypt files containing sensitive or high-value data, such as:
PII (Personally Identifiable Information)
PCI (Payment Card Information)
Business-critical user files
If the infected system has access to shared drives or USBs, those files may be encrypted as well — expanding the impact beyond the local machine.
How EDR Solutions Work and Detect Threats
EDR is focused on endpoints (like your laptop, desktop, or server),watching processes, memory, files, registry, and network calls in real time.
EDR Detects Ransomware Using:
- Behavior-Based Detection (Most Effective) EDR tools like CrowdStrike, SentinelOne, Microsoft Defender for Endpoint watch for:
File I/O anomaly: rapid encryption of multiple files (CreateFile, WriteFile, Rename)
File entropy changes (plain → encrypted becomes high entropy)
.txt, .doc, .xls → .locked, .encrypted
File extensions being renamed in bulk
Unusual process spawning:
winword.exe → drops powershell.exe
explorer.exe → spawns vssadmin.exe
Ransomware encrypts hundreds of files in seconds. That’s unusual compared to user activity.
- Command Line Pattern Matching EDR inspects suspicious command lines like:
vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled no
cipher /w:C
A normal user doesn’t run this. EDR flags this as ransomware behavior or destruction of recovery.
- Process Tree Monitoring Tracks parent-child process chains:
winword.exe → powershell.exe → cmd.exe → malware.exe
This suspicious chain = alert.
- Honeypots / Canary Files Some EDRs plant hidden decoy files like:
C:\Users\Public\DoNotTouch_Monitor.docx
If touched its likely ransomware assumed by EDR solution.
Memory Injection / Code Injection Detection
If ransomware injects into a legitimate process (e.g., explorer.exe) using CreateRemoteThread or VirtualAllocEx, EDR flags it.ML/Heuristics
Behavior profiling and anomaly detection
New ransomware (unknown hash) still gets caught via behavior, not signature.
How Breach and Attack Simulation (BAS) Technology Mimics Attacks
BAS simulates ransomware attacks using non-destructive behavioral mimicry. You’re spot on across most aspects. Let’s break this down and fine-tune the key technical points, highlight EDR interaction, and address some practical realities for red/blue teams.
BAS Ransomware Simulation
- Behavioral Simulation — Not Actual Ransomware Does not encrypt real files — no user or system data is harmed. Label: T1486
Emulates observable ransomware behaviors, such as:
Mass file access operations
File renaming across multiple directories
Simulated extension changes (e.g., .docx ➝ .locked)
Fake “encryption-like” content or entropy increase (not real encryption)
These behaviors are used to trigger EDR/XDR responses
- How BAS Interacts with EDR EDR solutions don’t rely on signatures only. They look for behavior like:
High-rate file modification
Use of built-in tools (vssadmin, bcdedit) Label: T1490
Suspicious process trees (explorer.exe → powershell.exe) Label: T1059, T1059.003
Unusual entropy or file type changes
Memory injection or child process spawning. Label: T1086
BAS simulates these, not executes them. The simulation engine triggers behavioral signatures, e.g.:
Creating hundreds of fake .locked files
Renaming test files to simulate encryption
Simulating file scans and system API calls used by real ransomware (e.g., CreateFile, WriteFile, SetFileTime)
EDR is fooled (intentionally) to think ransomware is present — validating detection logic.
- Why %TEMP%, %ProgramData%, and Controlled Scopes? These directories:
Are commonly abused by real malware.
Are writable by standard users (safe to test without risking system files).
Let the agent run simulated payloads in realistic but isolated environments.
BAS: Uses local test files only, avoids real user data, and confines all activity to agent-controlled zones for safe execution and cleanup
- Safe Emulation Tactics Used by BAS Simulated encryption: Instead of encrypting actual data,
BAS writes dummy files may changes harmless content. Alters timestamps or metadata.
Registry Simulation:
Creates mock entries that mimic persistence tactics but does not touch critical keys.
Mock Process Injection:
BAS may simulate or replay an injection attempt into explorer.exe, but doesn’t actually inject malicious code.
C2 Communication Simulation:
May simulate DNS queries or test beaconing and can test whether security tools detect this without contacting a real malicious server.
- BAS Agent Capabilities The BAS Agent:
Executes the tests locally on the endpoint. Can run custom payloads or template-based tests. Cleans up afterward with self destruction code injected in the script.
Real-World Use Case (Example):
You run a BAS ransomware simulation:
Agent creates 20 fake .locked files in %TEMP%.
Renames them with high-entropy contents and uses PowerShell to simulate registry/persistence.
Your EDR detects this: Ransomware behavioral match — blocked, Logs high write frequency + fake encryption. ATP flags simulated shadow copy deletion attempt.
No real files are harmed, but your detection pipeline gets stress-tested just like in a live attack.
Below script for test purpose
#ItsMalvious
---------------------------------------------------------------------
# Create test directory
$TestDir = "$env:TEMP\RansomTest"
New-Item -ItemType Directory -Path $TestDir -Force | Out-Null
# Step 1: Create 20 .txt files
1..20 | ForEach-Object {
$FilePath = Join-Path $TestDir "File$_.txt"
Set-Content -Path $FilePath -Value "This is file $_ for simulation"
}
# Step 2: Rename first 10 to .locked, next 10 to .encrypted
Get-ChildItem -Path $TestDir -Filter *.txt | Sort-Object Name | Select-Object -First 10 | ForEach-Object {
Rename-Item $_.FullName ($_.FullName -replace '.txt$', '.locked')
}
Get-ChildItem -Path $TestDir -Filter *.txt | Sort-Object Name | Select-Object -First 10 | ForEach-Object {
Rename-Item $_.FullName ($_.FullName -replace '.txt$', '.encrypted')
}
# Optional: Simulate file content change to mimic encryption
Get-ChildItem -Path $TestDir -Filter *.locked,*.encrypted | ForEach-Object {
Set-Content $_.FullName -Value ("X" * 2048) # High entropy simulation
}
# Step 3: Wait for EDR to observe activity
Start-Sleep -Seconds 10
# Step 4: Self-destruct - delete all files and folder
Remove-Item -Path $TestDir -Recurse -Force
What the Script Actually Does:
~ Creates a Folder
$TestDir = "$env:TEMP\RansomTest"
This creates a folder like:
C:\Users\Sahil\AppData\Local\Temp\RansomTest
So it’s working only in your system’s TEMP directory, not your Desktop, Downloads, or Documents.
Creates 20 Text Files:
It creates fake .txt files like:
File1.txt, File2.txt, ..., File20.txt
inside the RansomTest folder only.
Renames & Modifies Only Those Files:
It renames and modifies only the 20 files within the same folder:
File1.txt → File1.locked
File11.txt → File11.encrypted
Then writes 2048 "X" characters into each to simulate encryption.
Deletes Only the Test Folder:
Remove-Item -Path $TestDir -Recurse -Force
This only deletes the RansomTest folder and its contents, nothing else.
Will It Touch Your Desktop or Real Files?
Doesn’t touch C:\Users\Sahil\Desktop\
Doesn’t access your Documents, Downloads, or network drives
Only works in $env:TEMP\RansomTest
Verdict / My Opinion
BAS tools give blue teams the power to test and validate their ransomware detection capabilities without putting their environments at risk.
By simulating attacker behavior — not malware payloads — BAS tools enable organizations to:
Verify their EDRs and SIEMs are correctly tuned
Train analysts to respond to ransomware scenarios
Continuously assess security posture without real damage
If you’re looking to understand ransomware better, start by simulating it safely — and study how your EDR reacts. It’s the safest way to get as close to the real thing as possible without crossing the line.
NOTE: Security isn’t just about deploying expensive tools — it’s about proving they actually work when it matters.
Breach and Attack Simulation (BAS) gives organizations the power to challenge their own defenses — testing whether technologies like EDR, DLP, PAM, IAM, WAF, proxy, and SIEM aren’t just deployed, but effective.
But this goes beyond just testing. With Continuous Threat Exposure Management (CTEM) — a strategic approach introduced by Gartner
— With BAS and CTEM, CISOs and security leaders can:
Map technical risk to real business impact
Show executive leadership where actual exposure lies
Prioritize and justify security budgets based on validated protection
This is how a CISO stops guessing and starts leading.
You can’t fix what you don’t see — and you can’t justify what you can’t prove. BAS and CTEM together bring visibility, validation, and real-world confidence back into cybersecurity.
Because in today’s threat landscape, if your defenses only look good on paper —
you’re already breached.
This is just the start.
A complete series is on the way — breaking down how real-world attacks work and how each security solution responds.
Stay tuned — because understanding the how is the first step to defending the now.
|Rakṣā-vidyāyām ācāryā x-śūnyatāṁ t*īvrā anubhūtiḥ **tārayati **a*rjunam.|
(In the science of protection, the teacher of unknowns pierces illusion and uplifts the seeker.)
Top comments (0)