Ransomware Protection

Discussion in 'polls' started by emmjay, Dec 21, 2015.

?

How do you combat ransomware?

  1. I rely on my existing install base (AV, AM and Anti-exploit products)

    65 vote(s)
    55.1%
  2. I rely on HIPs

    12 vote(s)
    10.2%
  3. CryptoPrevent

    12 vote(s)
    10.2%
  4. Ruiware WAR

    3 vote(s)
    2.5%
  5. TrendMicro AR prevention

    1 vote(s)
    0.8%
  6. HitmanPro AR prevention

    24 vote(s)
    20.3%
  7. CryptoMonitor

    0 vote(s)
    0.0%
  8. Other

    47 vote(s)
    39.8%
Multiple votes are allowed.
  1. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Indeed, at first it has to be run, either by a user through a hidden exe like pdf.exe or by scripting, which can be disabled.
    Then it will create a startup entry to gain admin rights after restart, easily avoidable by simple deleting/blocking startup items.

    Some people will protect their precious anti-tools to the death. They do not understand, that anti-ransomware is just another antivirus based on signatures and heuristics, which will never work 100% unlike simple restrictions, which work 100%. But it is user's choice, so no hard feelings.
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Have you looked specifically at the protection mechanisms of the MalwareBytes beta (MBARW) and HitmanPro.Alert? I'm not currently using the MBARW, but I do use HMPA and I don't see that it's based on signatures; instead it simply recognizes and prevents file encryption. It blocks legitimate encrypting tools and malware equally, and must be disabled for intentional file encryption. As for "simple restrictions" I also use CryptoPrevent. For me the point is not only which tools are better but also which ones are accessible to users who don't understand the intricacies of implementing protections manually or who don't want to invest the time. The vast majority of users need to rely on "anti-tools".
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,981
    a completely proactive and signature-less technology
    https://forums.malwarebytes.org/index.php?/topic/177751-introducing-malwarebytes-anti-ransomware/
    https://forums.malwarebytes.org/ind...-mbam-and-mbae-why-do-i-need-anti-ransomware/
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    They just use fancy names, that is how marketing works, but it is the same junk, it can not detect everything.
    I am pretty sure, they detect known ransomware based on signatures as well.
     
    Last edited: Feb 6, 2016
  5. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,981
    Whatever.....
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not every one detects ransomware based on signature. Several programs discussed on this forum don't.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    In the same way one would not run two primary AV's, would two anti-ramsomware softs conflict - specifically MBARW and WinAntiRansom?
    I guess it depends how they work, and the devs undertandably won't tell us ...
    CryptoPrevent just sets static rules so I guess that will work alongside/complement another anti-ransomware solution.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I feel this is an important consideration. Some people think they're better protected if they use multiple real-time monitoring tools, but without in-depth testing there's no way to know. It's not enough that the tools will coexist on the system. It needs to be demonstrated that they can actually work and not interfere with each other when responding to malware attack. I believe a better approach is use complimentary tools, for instance CryptoPrevent along with one of the real-time monitoring anti-ransomeware apps like HitmanPro.Alert or MBARW.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    SRP won't help against ransomware that is executed by the user itself. What's so hard to understand about that? And anti-ransomware is based on behavioral monitoring, not on signatures.

    I don't think it's a smart move to combine WAR with MBARW, you never know they will interfere with each other, reducing security instead of improving it. CryptoPrevent will most likely work just fine combined with one of them.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Unless the user is denied Administrative rights on the machine. As explained by MisterB:

    So a user restricted to a Limited account, at least, can not execute the ransomeware as long as, of course, the SRP policy is correctly enforced.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That is not my point, I'm talking about people that actually want and need to install some app. They will of course allow apps to get admin rights. I'm not talking about people that are supervised by someone, but have full control of the PC.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Of course I figured that's what you meant, but then that's their problem if they are downloading and installing everything under the sun in a will-nilly manner, and clicking links in random unexpected emails.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, and that's exactly why tools like MBARW and others are needed. These type of users probably make up 80% of the market. And don't forget about the paranoid like me, I use HIPS to monitor any app even when they are most likely not to be malicious.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    For me most important thing is to guard my external USB drive since it contains my important data. I think, never tested though, Secure Folders protects the drive as a steel barrier. I really don't care if a cryptomalware fully runs in my PC cause I use Shadow Defender so a simple reboot then it's gone.
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    Other.

    The cerebrum + MBAE (for Exploits)
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I installed WAR on my 8.1 machine to try, but I do have HMP.A - so maybe WAR should come off again.
     
  17. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    HIPS plus Sandboxing.

    Regards Eck:)
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    It would be interesting to find out. Do you have a setup where you could safely throw some crypto-ransomeware at the system and see how WAR and HMPA respond?
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I already ditched WAR, as it created some pretty strange problems, like being unable to launch PortableApps (with no notifications).
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That doesn't sound too good. But if you use HMPA, you didn't need it anyway.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Some here would scoff at this statement, but no doubt this approach serves you and others extremely well :thumb:

    This leads me to ask: why is no one mentioning the use of anti-scripting extensions such as NoScript, uBlock, uMatrix and others, for example? Can anyone explain that the use of one of these extensions set to block at minimum 3rd party scripts and iframes, will fail to protect against the effects of a drive-by ransomeware attack?
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I did mention NoScript.:)
    Bo
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Indeed you did :) That's my laziness in breezing through the thread and missing key points :D
     
  24. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Exactly, and as shown over here the best protection is still not to use admin account. Based on my own researches it does need Admin account to write and set the locked files on CryptoWall 4.0, also Malwarebytes (just as an example) show in there own Videos that it requires Admin privileges. If someone have an examples that works without, just pm me.
    As I also said you just need to 'lock' the places it want's o write into it and you'll be safe because nothing happens then.

    I think this entire Ransomeware is over-hyped, yes I say over-hyped because this isn't new but the OS already can handle it very well because the user just need to do several things to get this fully working. And I think very one knows that to play an .mp3 or show a picture not needs any higher privileges, so over and over re-spelling that millions are infected is just a lie, because even if you're infected you need to pay for this and this is a user decision + there are still possibility's I mentioned to get rid of it. So to over and over recommend tools make this discussion not better or helps because in the past also AV software have lowered the security of the OS in fact because several leaks, bugs and whatever but no one or only a few people talking about this because no or only few Av developer want to publish that there products are vulnerable or only if it's already leaked they confirm or deny it - Information is still the best an not a tool that's for sure.

    And don't forget ask yourself why you execute unknown or untrusted things on your computer in times of Cloud based sandboxes and email providers that filters already most malware, my provider often notifies me about 'strange behaviors' on email xyz because the scanned attachment.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Agreed, users do not need anti-crypto or other anti-malware tools to avoid cryptolocker grief.
     
    Last edited: Feb 13, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.