Skip to main content

How to create a Ransomware simulation campaign

  • Updated

This article explains how to schedule a Ransomware simulation campaign in SMARTFENSE, detailing each available configuration field and the indicators the campaign collects.

What is a Ransomware simulation campaign?

Ransomware simulation campaigns consist of emails that aim to deceive the user into downloading a file and, ultimately, double-clicking on it. The file can arrive as an attachment to the email or be referenced through a download link. Both methods can be used in the same scenario.

The files of each scenario can be of three types:

  • HTML file.
  • HTML file compressed in a ZIP.
  • Executable file (for Windows or Mac): creates a temporary file in the user's folder and attempts to encrypt that temporary file. Once the process is complete, it deletes the temporary file.

The file type is defined when creating or customizing a Ransomware scenario.

Create the campaign

  1. From the main menu, go to Campaigns > Calendar.
  2. Click the New campaign button.
  3. Select Ransomware.

Campaign configuration

Essentially, Ransomware simulation campaigns require the following data to be scheduled:

  • Groups
  • Scenario
  • Start date
  • Expiration date

SMARTFENSE automatically detects the time zone of the administrator's device when scheduling. The dates and times you configure will be defined in the time zone of the device from which you are creating the campaign.

Groups

By default, SMARTFENSE allows you to select Groups as recipients of a campaign. The other options can be displayed by clicking the More options button at the bottom of the screen.

The platform requires you to select at least one recipient to schedule a campaign.

Scenario

Defines the theme of the Ransomware simulation campaign. It is possible to select more than one scenario.

If you choose more than one scenario, when the campaign is sent each user will receive a specific scenario randomly selected from the chosen set. This means that, although several scenarios are selected, each user will participate in only one. It is not possible to send multiple scenarios to the same user in a single campaign.

Start date

Date on which the campaign begins sending simulation emails and collecting interaction statistics.

Starting from the Start date, you will only be able to modify the Expiration date of the campaign while it is in progress. This action can be performed from the Calendar or Campaigns list. To do so, locate the campaign you want to edit and go to View campaign details > Information and actions.

Expiration date

Date on which the campaign stops collecting statistics.

The maximum duration of a Ransomware simulation campaign is 4 days. This allows simulating attacks more aligned with reality and obtaining results similar to those of campaigns carried out by cybercriminals.

More options

The following fields are displayed by clicking the More options button at the bottom of the screen.

Mode

Defines how users are assigned to the campaign. There are two options:

  • One-time initial assignment with specific expiration date: all recipient users are assigned when the Start date arrives. Changes made to the groupings after that date are not considered.
  • Recurring assignment with relative duration: the campaign periodically checks which users meet the recipient conditions and assigns them automatically. Each user's expiration date is calculated based on the defined Duration in days, starting from the moment they are assigned.

User management in Recurring assignment with relative duration campaigns:

  • Users added to a recipient grouping after the start date are assigned automatically, but on the day after the edit and at the same time as the start date (it is not immediate).
  • Users removed from the grouping after being assigned remain assigned to the campaign.

Recipients

In this section different types of groupings can be selected as campaign recipients: Groups, Functional areas, Hierarchical levels, Smart groups, and Individual users.

You can combine the selected groupings in two ways:

  • Assign users who belong to at least one grouping of each type.
  • Assign users who belong to any of the selected groupings.

Users must belong to at least one grouping of each type

Users who meet each of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Also belong to at least one of the selected Functional areas.
  • Additionally belong to at least one of the selected Hierarchical levels.
  • And finally belong to at least one of the selected Smart groups.

Users must belong to any of the selected groupings

Users who meet any of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Or belong to at least one of the selected Functional areas.
  • Or belong to at least one of the selected Hierarchical levels.
  • Or belong to at least one of the selected Smart groups.

Scheduling

In addition to choosing the start and expiration date, Ransomware simulation campaigns allow you to select the send type:

  • Normal sending: emails are sent to all recipient users when the campaign's start date and time arrives.
  • Random sending: emails are sent at different times of the day to each user. Sending is performed in the first half of the range between the start date and the expiration date, between 09:00 and 18:00 hours.

The platform guarantees that all assigned users receive the email during the sending days. The campaign remains active and collecting statistics until the day selected as the expiration date.

Random sending cannot be used to make each user receive a random scenario. Randomness refers only to the day and time of sending.

Campaigns with random sending cannot start on the same day they are created or scheduled. A future start date must be configured.

Campaign details

  • Name: identifies the campaign within the platform.
  • Description: displayed on the calendar when hovering over the campaign.
  • Test campaign: if you enable this option, the campaign runs without affecting reports or generating records in the user or campaign audit.

Derived actions

Allows you to add a Teachable Moment to the Ransomware simulation campaign. Teachable Moments are used to raise user awareness at the moment they perform an unsafe behavior within the simulation.

To configure it you must define:

  • Topic of the Teachable Moment.
  • User action that triggers its sending:
    • Click on the Ransomware download link received by email.
    • Open the downloaded Ransomware.
    • Run the Ransomware and cause a successful encryption.
  • Delivery mode:
    • Instantly when the action occurs in the web browser.
    • Instantly when the action occurs in the web browser and also send it by email at the same time.
    • Select a date after the campaign expiration to send all corresponding Teachable Moments by email.

The Teachable Moment will have a final validation question and feedback after the user's response. Both have components editable from Settings > Simulations > Teachable moments.

Advanced

Sample sending

If you enable this option, the simulation email is sent only to a sample of the total recipients. You must enter the sample size as a percentage. The included users are randomly chosen from the total recipients.

Ransomware URL

Defines the URL used in Ransomware simulation emails.

  • Use SMARTFENSE URLs (default option): the link is built with the platform's subdomain and a domain randomly selected from a list of SMARTFENSE domains intended to host simulated Ransomware traps.
  • Use custom URL: allows you to select a custom Hostname, managed in Settings > Organization > Hostnames, and explicitly choose a domain from the list of available domains.

If you select the Random domain option, the platform will randomly choose a domain for all the campaign's links. This domain will be the same for all recipient users. If you want to use a custom domain, contact technical support from the Help Center.

Send me a test

Before scheduling the campaign, you can receive a test in your email by clicking the Send me a test button. The test takes the following configured parameters into account:

  • Scenario: the test is sent with the configured scenario.
  • Teachable Moment: the defined configuration will be applied.

Other parameters such as Ransomware URL have no effect on the Send me a test button. Their effect can only be seen in a scheduled campaign.

Software-generated statistics

Before launching a Phishing or Ransomware simulation campaign, it is important to apply a Whitelist process in all the organization's tools that interact with emails sent from SMARTFENSE. This ensures that:

  • The simulation email reaches the inbox and not SPAM.
  • Security tools do not interact with the email by generating statistics on behalf of the user.

Before Saving the campaign, the platform asks you to confirm that the Whitelist was applied correctly and that test campaigns were launched to a representative sample without evidencing blocks or software interactions.

Indicators collected by the campaign

Once started, the campaign records the following indicators:

  • Sent: the email was sent to the user.
  • Opened: the user opened the email.
  • Ransomware downloaded: the Ransomware was downloaded via a link.
  • Ransomware opened: the Ransomware downloaded via a link was opened.
  • Ransomware attachment opened: the Ransomware downloaded via an attachment was opened.
  • Teachable moments sent by email: the user performed an action that triggered the sending of the Teachable Moment by email.
  • Teachable moments opened: the user viewed the Teachable Moment in their email or instantly in their browser.
  • Teachable moments answered correctly: the user correctly answered the Teachable Moment question used to validate its reading.
  • Teachable moments answered incorrectly: the user incorrectly answered the Teachable Moment question used to validate its reading.
  • Ransomware campaign reported: the user reported the received email. This indicator will be available if you installed the phishing reporting button.

For executable file scenarios only:

  • Encryption possible in user's folder: the simulation verified that it is possible to encrypt files in the user's folder.

💡 Best practices

  • Send a Test campaign to analyze statistics and check whether there are false positives. If necessary, review the whitelist application.
  • Define an Expiration date consistent with the objective and keep the campaign within the 4-day maximum to obtain realistic results.
  • Use Random sending to simulate real behaviors and reduce the "user-to-user warning" effect during the campaign.
  • Combine the Ransomware simulation with a Teachable Moment to raise user awareness at the exact moment they perform an unsafe behavior.
  • Use Send me a test to validate the scenario before scheduling the campaign.
  • If you use scenarios with executable files, review the Encryption possible in user's folder indicator to evaluate the simulation's behavior.

Related to

Related articles