During the last decade, ransomware (cryptolockers) show sustainable growth that can be explained by an effective business model that incorporates an anonymous payment system (Bitcoin) and network (TOR). This allows attackers to go untraceable and unpunished in their criminal activities.
In this regard, antiviruses and backup solutions come to protect you against ransomware and eliminate infection consequences. However, based on our incidents investigation experience, most of the ransomware infections in organizations happened with an antivirus installed and turned on. This can be explained by the fact, that the new ransomware variants employ polymorphic encryption with code obfuscation , broken PE headers , and scripting languages [3, 4]. All these help attackers bypass antivirus signature-based protection giving a chance for behavior blockers and anti-ransomware solutions to come into play. Therefore, it is essential to test security solutions by simulating the real-world ransomware attacks.
First, we tried the RanSim ransomware simulation software made by KnowBe4  to verify if an antivirus can block a ransomware attack. However, RanSim has several limitations. The most principal one is that antiviruses block the RanSim executables underway using simple blacklists before the actual test scenarios are run. The question then arises as to how to bypass antivirus signature protection to run ransomware test scenarios that will test the antivirus behavior blocker or anti-ransomware protection only.
To solve the problem of testing anti-ransomware solutions, we looked into the successful real-world ransomware attacks to find out the techniques that help malware to go unnoticed. As a result, we created the ransomware testing framework called NioCryptoSim  written mostly in Python. The test suite includes three false positive tests and 15 tests simulating the base cryptolocker functions as well as complete models imitating the behavior of some real-world ransomware.