RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, this is a bit disappointing, don't these guys actually test their tools against real life malware?

    I'm also not sure what to think about honey-pot, and if it uses 2GB it's a deal breaker, especially on SSD's. The problem is that there are hardly any alternatives, the only two I can think of is virtualization and rollback.

    Yes, I will keep an eye on this app, because I'm still searching for a standalone anti-ransom tool, that's light weight.

    I didn't watch the video yet, but I did watch another one, and it performed pretty good. At least when there's only one partition.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, so this means that if it doesn't see activity with the honey-pot files, it's blind to encryption. Makes me wonder, why not simply always alert when files are rapidly modified or deleted? Of course there will be more false positives, but they could make a white-list of trusted apps/publishers.

    Yes, perhaps they should dump this concept, even though it's an interesting idea. BTW, can you perhaps test it by first sandboxing the ransomware samples with Sandboxie? I wonder if RansomFree can still spot the encryption.
     
  3. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I was ttesting like that and it fail.
    Clean os, new drive created, added test files, install RansomFree (honeypot on both drives), run Ransimware, files encrypted.
    This version is not good, waiting the new one.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If the market bears out how we feel it will force them to dump it.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    What I find more disturbing than the fact RansomFree can't stop ransomware on a multi-partitioned HDD, or multiple local HDDs, and quite possibly network drives is that there have been over a dozen reviews on the product posted on the web in the last week. A number of these are from respected sources. Yet, not one review source has apparently tested the software on more than a single partition boot drive. :rolleyes:
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Yeah, apparently Wilders is the only website really testing and criticizing RansomFree.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It still holds that if you want security/backup type programs run thru the wringer bring them here to Wilders. Some of the vendors here know this and really appreciate it.
     
  8. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Peter2150 how well you stated the truth here at wilders. Venders do get run through the wringer.
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Actually I did in an addendum.
     
  10. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    CS you tested v2.1.0.0, there is a new version v21.1.0 which now add honeypot on second drive and honeypot are hidden now.
    I tested and the results are the same.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've just read some more info, and apparently they also use honey-pots in their enterprise product. But they also use signatures of known ransomware, perhaps they can also offer this in the free product. Can you perpaps test the SBIE + RansomwareFree (RF) combo? Normally I always first run/install apps sandboxed to see how they behave, so would be interesting to see if RF still spots encryption inside the sandbox.
     
  12. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Maybe tomorow if got some free time.
    But what is the point if RS detect ransomware in sandbox?
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks in advance. The point is that some security tools can not spot malicious behavior inside the sandbox. And like I said, I always test apps inside the sandbox, so if RF could alert me about file encryption it would be cool. If it fails, no problem because real files are protected by SBIE.
     
  14. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    For that is better to have Shadow Defender.
     
  15. UriCybereason

    UriCybereason Registered Member

    Joined:
    Dec 25, 2016
    Posts:
    1
    Location:
    Israel
    Hello everyone, my name is Uri from Cybereason - I'm the lead developer for RansomFree, and I'm glad to read your thoughts on our product.

    RansomFree has been developed as a free tool to help people protect against ransomware. It's not perfect and does not intend to replace other security solutions (such as AVs), but rather to supplement them, and it can run alongside any existing product. Note that RF is not our main product - Cybereason's customers are large enterprises which use our EDR product. The RF project has been entirely pro-bono and as such got only a small fraction of our resources and attention. That is also why it's completely free - this is not our core business. That's also one of the reasons why most of you never heard of us before.

    However, even though it's a free side project, we still intend to invest more time and effort into improving it, and we intend to do it fast - we added secondary-drive protection less than 48 hours after the initial release and we will release a major update in a few weeks which will address some of the issues raised so far. RF has been downloaded and installed by tens of thousands of people and has already prevented a few dozens of real ransomware attacks.

    Note that no desktop application can be perfect and no security solution is perfect with the many combinations of OS, existing applications and user interaction. However, our tool does manage to catch a nice collection of ransomware families, and we intend to be able to catch not-yet-known future ransomware as well. As you guessed, our main detection method is indeed honeypot files and directories, which have a random element. We also have several other detection methods. However, there will always be ransomware that will manage to slip by us (the same is true for any AV, since ransomware authors are constantly adapting their attacks).

    As for testing - note that RansomFree was designed to protect against the typical attack, and was tested as such. Consider whether certain tests represent a typical ransomware infection or not before jumping to conclusions. I also couldn't but noticed the criticizing remarks of several people here, and I'm not sure why - our only intention is to offer another approach to ransomware mitigation and help in the fight against them (this fight, however, will not be won in the technological arena, IMO - all we can do is delay them). I welcome any suggestion for improvement.

    Uri
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Hello @UriCybereason , welcome to Wilders.
     
  17. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,427
    Location:
    U.S.A.
    Uri, Wilders members will tear apart any software, and many developers have come here first. The end result: truly world class applications. Don't feel intimidated, we all want you to succeed! :) Welcome to Wilders!
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Uri

    Welcome to Wilders, and JR is correct we will beat on it. I was definitely one of the critical ones. I would agree that within what you stated your okay. But I judged it based on what the Website let me to believe. In that light it was a let down.

    Let us know when there are new versions, and we will test them.

    Pete
     
  19. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Hi Uri and welcome, I'm glad you're here and have confirmed its in development as I guessed it would be, a few seemed to have assumed it wasn't.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You might want to check out if that protection is actually working. There were Wilder's members which tested after that timeframe which also included a new release of RF and all tests indicated secondary drive/partitions were encrypted.
     
  21. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Uri, it's nice to see a dev participate in a public security forum. This builds confidence in the product among the security community.
    ברוכים הבאים
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Good to see you here :thumb:.

    I used CryptoMonitor before, the daddy of MalwareBytes Anti-Ransomware, which also relied on honeypots ...

    Is it also safe to run RF alongside other anti-ransomware tools? They could interfere if both have a roll-back element?
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good to see you and thanks for developing this solution. Yes, some of the comments may seem a bit harsh, but this happens with all products (free and paid) that are being discussed on this forum, and we do want to see this and other apps become a success. And of course, 100% security is not possible, especially when it comes to pro-active monitoring. But anyway, can you tell us a bit more on how you're planning to improve it? According to certain tests, data on other partitions are still being encrypted. So this must mean, that the honey-pot approach is not foolproof.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Exactly. If this honeypot approach was really foolproof, I could kind of tolerate their huge size. USB drives needs same approach, specially USB sticks?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.