RansomFree by Cybereason

I think so.
But if you don't have the honeypot files on it, the "main detection method" doesn't work for this stick.

 

Peter From reading your earlier posts in this thread, I believe you are not asking what he concept is, but rather are questioning it's validity. But FWIW:

The concept is that the honeypot folder names start with characters like ~ or ! . The concept, which my be flawed, is that because they are low on the ASCII table they will be scanned first by ransomware. RansomFree monitors these files, and whenever they change, it detects the originating process and pauses it. At this stage, RansomFree also shows a prompt, asking the user if he wants to stop the source process, or allow it to continue to execute.

The possible flaw in the concept, at least according to Fabian Wosar of Emsisoft ,in an earler post in this thread, is that "... several high-profile [ransomeware] families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author and that whole narrative falls apart at that point."

<a href="https://www.wilderssecurity.com/threads/ransomfree-by-cybereason.390786/#post-2639605">RansomFree by Cybereason</a>

It is not clear to me from the Cybereason Website whether or not the product includes any other "behaviorial analysis" component.

 

'As you guessed, our main detection method is indeed honeypot files and directories, which have a random element. We also have several other detection methods."

taken from post #115.
doesn't say what the other methods are though.

 

I believe the "honeypot directories/files" are scattered through the HDD; hence the large disk usage involved. I suspect the are created primarily in directories that ransomware targets like %LocalAppData%\Documents, Pictures, and the like. I also suspect this is the issue with secondary partitions/drives. Although members posted screen shots of honeypot directories created in the root directory of their secondary partitions/drive, I don't know if any honeypots were created in the non-root directories. In any case, the honeypots have strange names with the "~" leading character names being easy to spot by ransomware. Does anyone have legit directory names that begin with "~"?

Anyone using a HIPS can just create the same files hopefully with a bit more creativity in the naming of same. Then just create a HIPS rule to detect any write activity against the files. Better yet, just create HIPS rules to monitor write activity to %LocalAppData%\Documents, Pictures, and the like. After all, it's not like these files in these directories are being constantly updated ..........

 

Hi

Want to feedback on v2.1.1.0

After installing it on my MS Surface Pro 4 the fan keeps on spinning non-stop and my battery drains very rapidly. I then uninstalled it and the fan spinning stops.

Please look into this. Thanks

 

I would also like to know what other behavioral monitors this product is using, because when it doesn't see any activity with the honey pot files, it seems to be blind, this is what needs to be improved. This tool definitely has potential.

 

Of course not, is not intended to replace an AM. So?

 

A new version has been released: 2.1.2.0

Code:

Cybereason RansomFree 2.1.2.0 (timestamp: 2017-01-01)
https://ransomfree.cybereason.com/download/
or:
https://ransomfreedownload.cybereason.com/CybereasonRansomFree.msi

 

Is the changelog available?

 

I can't find one

According to the Q&A, removable media is not protected:

----
Suspect files will be uploaded to their servers:

 

Haven't tried. But looking at the version change, it is a minor update. Hence I believe they still using them, for sure.

 

Yesterday I got a RED MALWARE/SUSPICIOUS BEHAVIOR WARNING pop-up from EMIS 12's behavior blocker, with a recommendation of "Quarantine" that:

"Cybereason RansomFree is trying to install (I think it was a file) invisibly"

I didn't know that Cybereason RansomFree did that. It was not a typicall full update and was the first time I had seen that.

Kinda freeked me out.

[Yeah I am aware that EMIS is not FP-Free.]

I Quarantined it because I was not comfortable with it. I then uninstalled Cybereason RansomFree because it was not clear to me what info Cybereason RansomFree was transferring back and forth to and from its servers.

Subsequently, for an unrelated reason, I did a system restore to a point several hours before that occurrence. After the same version of Cybereason RansomFree (v 2.1.2.0) was again back on my system I have not gotten the same attempt to install invisibly by Cybereason RansomFree. Seems kinda strange. Emsisoft had not whitelisted it in the interim and it is still listed as "unknwon."

 

Probably it was trying to setup one of the hidden honey pots it uses, or it was trying to update itself.

 

I had time so I tried the new version and as you imagine it's Brand New Same Old Stuff. The issue with the product is not only the Honeypot model, but where the Honeypots are placed (it's important!). For example consider DeriaCrypt (the successor to DeriaLocker- nobody has renamed it yet except me). Deria will first look to encrypt the Users directory first, only after this will then seek out other stuff on the drive. So if the honeypots are not located within the users space you are pretty much screwed. That was my theory, anyway.

In practice when DeriaCrypt is run on a RansomFree system it does indeed trash the Users space (Docs, mp3's 7Z's, exe's etc) within seconds; it then takes about 15-20 seconds to get to the Honeypots on the C drive where RansomFree finally detects and stops it without further damage. But you valuables are long since toast, so who really cares?

 

CS I have seen a lot of software you have tested but am wondering if you have tested appguard as of yet?

sorry for off topic.

 

That is shocking!

By default; Documents, Pictures, Downloads, and Video folders are stored in the each User's directory. I also have always assumed this would be indeed the first place ransomware would begin its encryption activities.

 

A Waterloo disaster, caused by a flawed design.
That was to be expected.

I'd like to see an updated review by CS, about HMP.A
I guess HMP.A will do it right.

 

All this is based on your expectations or have you actually test it against dariacrypt?

 

I thought that was clear- Yes, it was my expectation that such a bypass could occur and one I confirmed by running DeriaCrypt which acts in the way that was needed for this confirmation.

 

Links to so called "youtesters" are not allowed on wilders forum....

Anyway, if you like to watch the very interesting and competitive reviews of Cruelsister, search y-tube for cruelsister1

Get your kicks there!

 

@UriCybereason

What is the "data" that Cybereason RansomFree downloads invisibly to a user's PC between new versions ?