Alternative to Cyberreason RansomFree ?

Hello everyone,

With the discontinuation of Cybereason RansomFree late last year I wish to ask your advice on choosing an alternative.

I found the following two lists of alternatives but wanted to ask if you any experience of using any of them?
My current short list so far is:

• Acronis Ransomware Protection
• RansomOff
• Kaspersky Anti-Ransomware Tool for Business

===================
Sources:
Search for Ransomware Prevention within the following BleepingComputer link (my thanks to them and “Bleepin' Gumshoe” for this very helpful guide):

https://www.bleepingcomputer.com/fo...-security-questions-best-practices/?p=4598991

https://alternativeto.net/software/ransomfree/

===================

Ideally, I’m looking for an application that offers real-time protection against ransomware in general rather than just specific variants and protects the MBR/GPT of the hard disk. It would be nice if it was free but doesn’t have to be.

I am using Windows 10 Pro 64-bit Version 1903. I simply want more protection against ransomware than my current anti-malware solution (Norton Security (Version 22.18.0.213)) offers. The Controlled Folder Access feature of Windows 10 is good but not fully featured.

Any advice would be much appreciated. Thanks very much in advance for your time.

 

https://www.zonealarm.com/anti-ransomware

Review here:https://www.pcmag.com/review/355010/check-point-zonealarm-anti-ransomware

Also:

 

I would recommend AppCheck, it does well in tests, and on my system it's quite stable. Of course, don't expect 100% security from these kind of tools.

https://www.checkmal.com/product/appcheck/
https://www.softpedia.com/get/PORTA...---Antispyware/AppCheck-Anti-Ransomware.shtml

 

Hi itman and Rasheed187,

Thanks very much for your suggestions. Sorry for not responding sooner.

Using these suggestions, I am testing these against ransomware samples specifically Locky, Cerber, Spora and Petya. My goal is to find the tool which protects against most/all of these and meets my needs (not too high on resource usage and little to no conflicts with my existing anti-malware solution or my applications).

From a comment placed in the following review; CyberSight makers of RansomStopper are no longer trading/operating. I haven’t been able to confirm this:

https://uk.pcmag.com/ransomware-protection/92457/cybersight-ransomstopper

I’ll update this thread with my results as soon as possible. Thanks again.

 

The YouTube Video ... 3 Phenomena Fueling Ransomware - CyberSight Webinar was worth watching.

I would like to buy the ZA but i am worried about the auto renew subscription and if it is easy to stop or cancel it from auto renewing if i wanted.

 

They have a Facebook account that has no posts from after Dec 2017.

 

Looks like they're out of business. Going to their web site, www.cybersight.com, yields a 404. Such is the lifespan of freebees these days.

 

+1 for AppCheck (by CheckMal)...it is all they do...the app is light on the system and the cost with a deal is pretty affordable.

 

RansomStopper works good now and should going forward without getting any updates to it.

 

Yes I saw it too, I guess these things can happen with small companies. But I've read that it's pretty bloated, apparently it uses about 700MB of RAM, no thanks.

No problem and let us know the results.

 

Mine has about 72 MB of Ram.

 

Hi Baldrick,

I totally agree with all of your points. AppCheck is the solution I chose and have been using happily for more than 1 year on all of my systems. Its incredibly light on resources, excellent protection and good value too (especially with the 2 year subscription I purchased). The recommendation from Rasheed187 really helped too.

Between one thing and another I never got around to providing the results of the testing to everyone sooner. Please find them below. I realise these are of reduced usage now due to the time that has past but they were an accurate reflection of some leading anti-ransomware tools against some really tough ransomware.

Thanks again everyone for helping me make the right choice.

===============================
My testing results from September 2019:

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. All tests were carried out on Windows 10 Version 1903, 64 bit, unless otherwise noted. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 201

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

Further notes:

• What started out as some research on which product was the best for my needs resulted in the information I posted here.
• All of this testing was carried out on air-gapped Windows 10 Version 1903 and Windows 7 virtual machines. The ransomware samples never had access to real systems and no other systems were unaffected by my testing. The ransomware samples have since been deleted.

================
Malware Tested:
Locky
Spora
Petya (Sample A)
Petya (Sample B)
Cerber
GandCrab (v5)
NotPetya
WannaCry
================

Key:
Pass: All ransomware removed and all encrypted files recovered
Inconclusive: Sometimes the encrypted files were recovered, sometimes they were not
Fail: Ransomware was not removed, files not recovered or system was no longer bootable

Link to screenshot of results:
https://imgur.com/DpH101S

================
My thanks to the following sites for making these malware samples available:
www.kernelmode.info
www.virusign.com
github.com/ytisf/theZoo
gist.github.com/vulnersCom
YouTube User: Def: https://www.youtube.com/watch?v=_A2zBtCsiKI
================

 

Nice info...kudos...

 

Thanks for the test results, better late than never LOL. And how come most of the tools failed to block NotPetya, did you report this to them? Actually, I now see AppCheck failed to protect on a Windows 7 system, what's the difference?

 

CJ- Although AppCheck is a nice app and it is fun to watch encrypted files being (mostly) restored. Also impressive is the ability to catch ransomware that will drop spawn and autorun upon Windows reboot.

But please note that it is not proof against all forms of ransomware. Your results may have been a bit different by running things that utilize untypical mechanisms like Troldesh, Locky Assassin, MirCop. and various LoLbin ransomware.

 

You're welcome Baldrick.

@Rasheed187:
Most of the tools either didn't detect NotPetya or would would detect it but upon rebooting the system; the system would either display the black and red text ransom note before Windows booted or the system would simply not boot; displaying just a blank screen. Where the system wouldn't boot I still marked it as a fail. While using the Windows Recovery Environment along with the following commands would make the system bootable again; not all users are going to know to do this.

Bootrec.exe /FixMbr
Bootrec.exe /FixBoot
Bootrec.exe /RebuildBcd

I didn't report this to each of the tool vendor; I just didn't have the time. What started out as some research on which product was the best for my needs, quickly took up hours of my time documenting results and setting up repeatable tests of each ransomware sample.

AppCheck like many other of the tools didn't protect on Windows 7 since the system was unbootable upon restarting. As I said above, I marked that as a fail even though a technical user can recover from it. I admit this approach may be unfair.

Agreed, AppCheck is an excellent app. You're absolutely right; its not perfect against all ransomware. I admit my results are a point in time snapshot of some ransomware samples and do not necessarily represent all samples past, current and future.

I'm currently not aware of the mechanisms you listed but I will research them since I like this area of ransomware research.

Thanks again everyone.

 

This won't work for NotPetrya. NotPetya also encrypts the MFT rendering all your files useless.

Ref.: https://www.crowdstrike.com/blog/pe...e-encryption-mft-encryption-credential-theft/

https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

There appear to be some backup utilities that can backup the MFT separately. Other than that, your only recourse is to restore from a full image backup. Also restoring the MFT is questionable since it is constantly being updated. Anything installed after the MFT backup would still exist and would reference files that would not exist in the MFT or have been physically moved from locations shown in the MFT after restoration. Ref.: https://hetmanrecovery.com/recovery_news/ntfs-file-system-structure.htm

-EDIT- I should add that minor MFT corruption can be repaired using chkdsk: https://www.stellarinfo.com/blog/fix-corrupt-master-file-table-error/ which I believe would not work when the entire MFT is encrypted.

The next method to deploy would be:

https://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

I believe NotPetrya also encrypted MFT mirror backup file.

 

OK thanks, but this only happened on Windows 7 if I understood correctly, when it came to AppCheck. It's a bit weird because AppCheck does protect against MBR modification.

So you're saying that AppCheck fails against these ransomware variants? Luckily I block automatic running of LOLBins via EXE Radar so this should cover it I assume.

https://lolbas-project.github.io

 

BTW, cruelsister can you take another look at NeuShield, would you recommend it?

https://www.neushield.com

 

Hi Rasheed! I took NeuShield Data Sentinel (free) for a quick dance and consider it quite nice for what it is. For those not familiar with this product, they state:

"does more than just detecting and blocking ransomware attacks. We’re the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup. Data Sentinel uses Mirror Shielding™ to protect files ensuring that you can instantly recover your important data from any ransomware attack."

Upon installation (which was done on a system with the bare minimum of resources, mimicking the biggest piece of junk one can imagine) the main application as well as a Service were created, neither of which were memory/CPU intensive. No tweaking of any sort was needed (nor possible).

The protection is specific for the usual suspects (the Folders- Documents, Music, Pictures, Desktop, Contacts, Games, Videos). Upon running diverse ransomware, although encryption occurred (remember this is not an anti-ransomware application), all files were able to be restored by opening up the GUI and clicking Revert for each of the folders and all the encypted items were deleted. The exception to this was some files (esp. executables) that were trashed by the malware were put into the Trash bin upon reverting (not a big deal).

NeuShield does also have intrinsic protection against ransomware that mess with the MBR and this works well and prevents such manipulation. Unlike the Home and Biz versions, the free version does not have the ability to restore Windows System files, and although they say that all versions have: "Boot Protection Prevents ransomware from making your system unable to boot" I can assure you that it did not work against a little cuties that I coded especially to test this.

Finally, it is important to note that NeuShield will NOT protect files in Folders outside of those that I listed above, so this can be problematic with Fortress Class malware (those that will trash files of any type anywhere).

But other than that a rather interesting application that will coexist nicely with other security apps if one feels that their current setup may be lacking.

m

 

Thanks for the review, I really appreciate it. So from what I understood it doesn't actually try to stop ransomware from encrypting files, but it's basically a file recovery tool. I'm not sure what to think of it, perhaps it can be used as an extra layer on top. But it also doesn't protect all folders, that's a bit weird.

 

R- To clarify, NeuSield is in no way an anti-ransomware application at all. Any malicious file that can encrypt will encrypt. However those files that are encrypted can be restored as long as they are in the specific protected folders. This is not uncommon for such protection modalities and can leave one with a false sense of security.

Personally when I test such things I will create an odd directory (like C:\1) and plop some files that are normally victimized in it (doc, jpg, txt) to check if they are encrypted and if they can be restored. So with NeuShield a photo of your dearly departed GrandMother can be restored if it was encrypted within the "My Photos" directory, but will be lost if you happen to save it in the "C:\Granny's Photos" directory.

But NeuShield still will be of value if a systems primary malware defense is sub-optimal against encryptors. As an example (and sadly a hot topic on Wilders) is SpyShelter. Although SS will not protect (free or paid) from the likes of Killar, Maze or Xdata, with NS also installed trashed files can be restored.

M

 

Are you saying Spyshelter should not be used because it's ineffective?