Ransomware Protection

Discussion in 'polls' started by emmjay, Dec 21, 2015.

?

How do you combat ransomware?

  1. I rely on my existing install base (AV, AM and Anti-exploit products)

    65 vote(s)
    55.1%
  2. I rely on HIPs

    12 vote(s)
    10.2%
  3. CryptoPrevent

    12 vote(s)
    10.2%
  4. Ruiware WAR

    3 vote(s)
    2.5%
  5. TrendMicro AR prevention

    1 vote(s)
    0.8%
  6. HitmanPro AR prevention

    24 vote(s)
    20.3%
  7. CryptoMonitor

    0 vote(s)
    0.0%
  8. Other

    47 vote(s)
    39.8%
Multiple votes are allowed.
  1. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    I would agree with you if you said Wilders members, however if you check various forums such as Bleeping Computer, many users are getting infected with ransomware, and if you correlate that to the real world it would be hundreds of thousands worldwide. So obviously people who could care less about their computer security need some type of tool to protect themselves from themselves. A simple tool like CryptoPrevent would work wonders if more people were aware of it.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I my case it isn't malware so much as it is my installing beta security software that bricks my machine. Yesterday I bricked my machine but am not sure which software it was./ I was trying three programs but had been using them for a few months without issues. I use Marcum Reflect but don't have it set to start at boot and let me pick a drive. On reboot it was not seeing my USB port where my back up is. I had tore the keyboard, mouse. cat 5 and power cable out and was just stepping out the door to go buy a new one and thought I will try it a few more times and got lucky it saw my USB port. But it was not seeing my back up drive I have with original 8.1 installed either on any USB ports.
     
  3. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Most infection are drive-by on disk which means the user is the problem, as I did say there are not millions because Windows and other OS already coming with build in protections like smart screen, UAC, Windows defender so if anyone now telling me he got infected it's just a lie or he just disabled everything, uses warez or executed something on his/her own, that doesn't have to do with the tools, it starts with brain. The OS (again I know) already handle it well, in my test Defender handled all my examples well, if anyone here or in the mention forums can give me an sample to bypass all this by just downloading something and executing it without warning or something he better just don't use the internet (or contact me to get help). In fact manually harden or use external software can lower the security level which is then the opposite you want, I did already mention some examples and to believe one or two or 10 engines running to the same time makes you more secure is a false sense of security. ... And that's why I'm saying people should woke up and asking why the AV tools not telling anything about OS security levels that already exist for years.

    How big is the chance that millions are get infected by 0day without been already a target or on the radar from the attackers for months/weeks, so all this 'millions infected' is just in my eyes marketing without any proof. It starts much longer before e.g. by recommend to not use Win 10 and stay on 7 for no reasons ... and THIS is even more dangerous as you might think because on a security aspect you have to stay up2date that's the only thing which is for sure.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    even without using any anti-malware/ransomeware products:

    1. set UAC to maximium
    2. store all important files in a protected directory (admin-only read/write access)
    3. use a limited account for everything, especially on-line activities
    4. optional; run a browser with an anti-scripting plugin, probably blocking iframes as a minimum and maybe 3rd party scripts as well.

    Even if the ransomeware does run with limited rights, it can't touch the files in the protected directory.
     
  5. Aura

    Aura Registered Member

    Joined:
    Mar 19, 2015
    Posts:
    107
    Location:
    -
    My Emsisoft Internet Security (BB kickin' in) and hardened Google Chrome are enough to block Ransomware, so I'm not that worried. I'm also beta-testing Malwarebytes Anti-Ransomware at the moment.
     
  6. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    There is now another ransomeware hype, this ransomeware is called 'Locky' and infected e.g. Frauenhofer-Institue and some others via eMail and/or directly placed on websites which then uses an old Macro hole to load ladybi.exe trojan. Kaspersky reported that some infection affects directly some pages which then want's to download/execute eiasus.exe.
    ~ Removed VirusTotal Results as per Policy ~

    Again nothing special and nothing needed, just disable Macros in e.g. MS Office and/or restrict C:\Users\USERNAME\AppData\Local\Temp and nothing can happen.

    I not really believe that there are 5000 new infections per hour but according to the news there are several each second.

    Instead of price now new security tools just tell people how to restrict and disable macros in MS Office and everything will be fine, like I did now .... :p

    Uargh sooooo boring that my Pc is clean for 20+ years now, Spam and drive-by?! ... NEXT please .... :isay:
     
    Last edited by a moderator: Feb 19, 2016
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's an Emsisoft video showing its effectiveness against 20 different ransomwares: https://www.youtube.com/watch?v=zDKModQjFUs
     
    Last edited by a moderator: Feb 20, 2016
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,345
    Location:
    Italy
    Locky is unsigned:



    1.JPG
    2.jpg

    Also the registry setting "Validate Admin Code Signatures" is good for the block.
    As with other ransomwares.
     
    Last edited: Feb 21, 2016
  9. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    I agree I was a bit fast, the appdata method here wont work like with cryptolocker because it creates a file under C:\Users\USERNAME\AppData\Local\Temp\RANDOMSTRING.tmp and puts registry entries to execute this file at startup. There is also a second registry entry on the system binary that I assume helps this file.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I couldn't see the alerts clearly, but was everything caught by signature, or was it the BB that blocked it?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It was the BB. You can see the option in the BB's application rule settings section. It is titled "Attempt to modify documents is a suspicious manner." The way the BB works is when EAM/EIS detects an unknown/suspicious process, all those application rule settings are activated. The only way ransomware could get around the BB is if it passed the reputation tests of "known" to Emsisoft's cloud and has a valid signature.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK so it's purely behavior based monitoring, like HMPA and MBARW? I didn't know they added this.
     
  13. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    1) Up-to-date Firefox
    2) Ublock Origin (with malware blocklists)
    3) Firejail
    4) Apparmor
    5) grsecurity (to strengthen Firejail's chroot and prevent kernel exploits)
    6) Update OS once a day
    **EDIT** 7) Backups!
     
  14. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I avoid ransomware by not downloading and running potentially suspicious programs.

    I do have an antivirus software installed, as well as Bitdefender Anti-Ransomware. Howver, I don't feel that BD Anti-Ransomeware is necessary in my case, but since it has no impact on system performance, I see no harm in having it installed.
     
  15. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    A picture is worth a thousand words... EYIeIQY.png
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Try registering it..

    "WinAntiRansom DOES NOT provide any protection when run unregistered!" On the bottom of the page...
     
    Last edited: Jun 9, 2016
  17. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Surely the 15-day trial gives you a temporary registration until you decide to purchase or not. Otherwise what's the point of the trial if it doesn't protect for a limited time?
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The proper way to do this is to either block the download or the installation if required registration data is not provided. Allowing non-functional software to install, especially security software, is unacceptable in my opinion.
     
  19. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Here are some pictures installation, protection before activation of free trial and after activation free trial:
     

    Attached Files:

  20. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    My bad, solitarios did have it registered. My apologies..
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.