RansomFree by Cybereason

Thanks Shmu, glad to hear that.

I downloaded what was supposed to be 2.1.1.0 from Snapfiles and got 2.1.0.0. So I just now downloaded from the Cybereason website and also got 2.1.0.0.

So I wonder if they found a problem with the update and rolled back?

 

Did you try this:

https://www.upload.ee/files/6476885/CybereasonRansomFree.msi.html

 

the link from @Djigi worked fine for me

 

Naw. If they removed the new version from the official site for some reason, I assume there may be a problem with it and I'm afraid to try it.

 

so install the old version, then. It ain't so bad. If it automatically updates to the new version, that is the answer to your question.

 

It's installed. That's how I know what version it is, I didn't see a version number on the installer. When I right click on the tray icon and tell it to check for updates nothing happens. I may need to clear it through TinyWall.

 

From your screen shot, appears only some files were encrypted on your N drive. Suspect those might be the honeypot files?

 

Added an exception for the .exe to TinyWall, still doesn't seem to do anything when I check for updates. Still shows 2.1.0.0.

 

No, look files on left.
All accept .exe files are encrypted.
Honeypot files are hidden.

 

Because Cybereason pull back v2.1.1.0, for unknown reason.

 

Ok, I see it now. Ransomware encrypted .doc, .txt, etc. but left .exe, .html, etc. alone.

 

Only .exe is left.
This html are encrypted "OSIRIS" - this is not legit file

 

The installer for the new version is clearly marked with the new version number.

Dunno if you meant you didn't look or you looked at the installer and it wasn't there

 

v2.1.1.0 is back on their website...

Code:

https://ransomfreedownload.cybereason.com/CybereasonRansomFree.msi

Same installer checksums...

 

Seems they're connected with Lockheed Martin, Cybereason seems to be a quality security software company....


http://www.networkworld.com/article...reat-intelligence-to-thwart-cyberattacks.html

 

What I meant was that it wasn't on the name of the installer (CybereasonRansomFree.msi), and I'm not in the habit of looking at the properties unless I suspect a reason to, I just assumed I was downloading the new version and didn't find out otherwise until I installed.

 

BTW, it is now downloading 2.1.1.0. Don't know why it seemed to be pulled for a while.

I had to download the installer to find out, the check for update feature still doesn't seem to be doing anything for me, no indication it's even checking that I can see.

 

Looks like a pre-beta soft, immature but promising, at least for me. I like the behavior monitoring approach they have developed plus its light weight light impact.

 

In regards to this software failing to prevent non-boot local drives from being encrypted, I refer back to something Fabian W. posted previously:

But several high-profile families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author
​

@Djigi, do this as a test. Create your non-boot drive test folder with test files contained within prior to installing Cybereason anti-ransomware. Then install Cybereason and verify that honeypot files were created the test directory of the non-boot drive. Finally, test with the ransomware you have been using. I strongly suspect that Cybereason will now detect the ransomware on the non-boot drive.

My gut is telling me that the ransomware is ignoring the honeypot directories created on non-boot drive. Since you previously created a test directory after Cybereason was installed, no honeypot immunization files were created in that directory enabling the ransomware to encrypt them. This test would also prove that there is a flaw in the software; it doesn't immunize newly created directories -or- perhaps a reboot is required to do so?

​

 

But RansomFree does not creates honeypots within directories. Just into drives' root, afaik.

Edit: I'm wrong. I can see honeypots within Documents folder.

 

Neither do I. Those honeypots are really big, around 400 ~ 500 MB. Now, if they are not dropped in USB sticks, like mine, and ransomware decides to encrypt those USB sticks first?

 

OK. Didn't know you tested this way.

I agree that using file honeypots is a "brute force" solution. And an inefficient one at that with up to 2 GB of disk space wasted.

Also worth noting is that security permissions on non-boot drives by default are very weak as noted by the below screen shot. Authenticated Users are anyone with logon capability.

 

"Seems they're connected with Lockheed Martin, Cybereason seems to be a quality security software company...."

look at my post number 4.