The ransomware mimic application is a utility designed to test the ransomware detection module of the HEIMDAL Agent. It encrypts and decrypts files within a directory to simulate ransomware behavior, enabling thorough testing of detection capabilities.
Steps to reproduce
1. Download the application: https://heimdalqastorage.blob.core.windows.net/mac-agent-tools/utils/info/files/ransomware-mimic-universal_encryptor.zip
2. Run the application with the following command:
ransomware-mimic <directory-path>
Replace <directory-path> with the directory where some test files are located that are suitable to be encrypted as a test. If the directory contains a keyinfo.json file, the application decrypts the files. Otherwise, it encrypts them and generates the keyinfo.json file.
The ransomware detection module logs the process name of detected threats to the HEIMDAL Dashboard.
IMPORTANT
To avoid spamming the HEIMDAL Dashboard, the HEIMDAL Agent only logs one instance of a specific process name within 24 hours. To test the application multiple times within the same day, you must change the executable name of the mimic application for each test.
Changing the Executable Name
Copy or rename the executable file with a different name before each test:
cp ransomware-mimic ransomware-test1
Run the renamed executable:
./ransomware-test1 /path/to/test/directory
Repeat this process with a new name for each subsequent test.
Monitored Paths
/Users/<username>/
/Users/<username>/Library/Preferences/
/Users/<username>/Library/Mail/
/Users/<username>/Library/Keychains/
/Users/<username>/Library/Mobile Documents/
/Users/<username>/Library/Application Scripts/
Excluded Paths
/Users/<username>/Library/Application Support/
/Users/<username>/Library/Caches/
/Users/<username>/Library/TemporaryItems/
/Users/<username>/Library/Logs/
/Users/<username>/Library/Biome/tmp/
/Users/<username>/Library/Containers/
/Users/<username>/Library/Group Containers/