Alternative to Cyberreason RansomFree ?

Discussion in 'other anti-malware software' started by CJ7168, Aug 11, 2019.

  1. CJ7168

    CJ7168 Registered Member

    Joined:
    Jun 17, 2015
    Posts:
    8
    Location:
    Ireland
    Hello everyone,

    With the discontinuation of Cybereason RansomFree late last year I wish to ask your advice on choosing an alternative.

    I found the following two lists of alternatives but wanted to ask if you any experience of using any of them?
    My current short list so far is:

    • Acronis Ransomware Protection
    • RansomOff
    • Kaspersky Anti-Ransomware Tool for Business

    ===================
    Sources:
    Search for Ransomware Prevention within the following BleepingComputer link (my thanks to them and “Bleepin' Gumshoe” for this very helpful guide):

    https://www.bleepingcomputer.com/fo...-security-questions-best-practices/?p=4598991

    https://alternativeto.net/software/ransomfree/

    ===================

    Ideally, I’m looking for an application that offers real-time protection against ransomware in general rather than just specific variants and protects the MBR/GPT of the hard disk. It would be nice if it was free but doesn’t have to be.

    I am using Windows 10 Pro 64-bit Version 1903. I simply want more protection against ransomware than my current anti-malware solution (Norton Security (Version 22.18.0.213)) offers. The Controlled Folder Access feature of Windows 10 is good but not fully featured.

    Any advice would be much appreciated. Thanks very much in advance for your time.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    https://www.zonealarm.com/anti-ransomware

    Review here:https://www.pcmag.com/review/355010/check-point-zonealarm-anti-ransomware

    Also:
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Before this thread is over you will have every one of them listed here.
     
  5. CJ7168

    CJ7168 Registered Member

    Joined:
    Jun 17, 2015
    Posts:
    8
    Location:
    Ireland
    Hi itman and Rasheed187,

    Thanks very much for your suggestions. Sorry for not responding sooner.

    Using these suggestions, I am testing these against ransomware samples specifically Locky, Cerber, Spora and Petya. My goal is to find the tool which protects against most/all of these and meets my needs (not too high on resource usage and little to no conflicts with my existing anti-malware solution or my applications).

    From a comment placed in the following review; CyberSight makers of RansomStopper are no longer trading/operating. I haven’t been able to confirm this:

    https://uk.pcmag.com/ransomware-protection/92457/cybersight-ransomstopper

    I’ll update this thread with my results as soon as possible. Thanks again.
     
  6. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,271
    Location:
    Hollow Earth - Telos
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,271
    Location:
    Hollow Earth - Telos
    They have a Facebook account that has no posts from after Dec 2017.
     
    Last edited: Aug 27, 2019
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Looks like they're out of business. Going to their web site, www.cybersight.com, yields a 404. Such is the lifespan of freebees these days.
     
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,585
    Location:
    South Wales, UK
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would suggest pumpernickel. I doesn't depend on detecting behavior, just protects what you want to protect. It just works.
     
  11. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,271
    Location:
    Hollow Earth - Telos
    RansomStopper works good now and should going forward without getting any updates to it.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
    Yes I saw it too, I guess these things can happen with small companies. But I've read that it's pretty bloated, apparently it uses about 700MB of RAM, no thanks.

    No problem and let us know the results.
     
  13. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,271
    Location:
    Hollow Earth - Telos
    Mine has about 72 MB of Ram.
     
  14. CJ7168

    CJ7168 Registered Member

    Joined:
    Jun 17, 2015
    Posts:
    8
    Location:
    Ireland
    Hi Baldrick,

    I totally agree with all of your points. AppCheck is the solution I chose and have been using happily for more than 1 year on all of my systems. Its incredibly light on resources, excellent protection and good value too (especially with the 2 year subscription I purchased). The recommendation from Rasheed187 really helped too.

    Between one thing and another I never got around to providing the results of the testing to everyone sooner. Please find them below. I realise these are of reduced usage now due to the time that has past but they were an accurate reflection of some leading anti-ransomware tools against some really tough ransomware.

    Thanks again everyone for helping me make the right choice.

    ===============================
    My testing results from September 2019:

    Products tested:
    Please note that these tools are primarily targeted at client rather than server systems. All tests were carried out on Windows 10 Version 1903, 64 bit, unless otherwise noted. Please check the license before deploying in a commercial environment:


    Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

    Cyberreason RansomFree (discontinued: November 201:cool:

    CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

    Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

    Heilig Defense RansomOff: https://www.ransomoff.com/

    ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

    Further notes:
    • What started out as some research on which product was the best for my needs resulted in the information I posted here.
    • All of this testing was carried out on air-gapped Windows 10 Version 1903 and Windows 7 virtual machines. The ransomware samples never had access to real systems and no other systems were unaffected by my testing. The ransomware samples have since been deleted.
    ================
    Malware Tested:
    Locky
    Spora
    Petya (Sample A)
    Petya (Sample B)
    Cerber
    GandCrab (v5)
    NotPetya
    WannaCry

    ================

    Key:
    Pass: All ransomware removed and all encrypted files recovered
    Inconclusive: Sometimes the encrypted files were recovered, sometimes they were not
    Fail: Ransomware was not removed, files not recovered or system was no longer bootable


    Link to screenshot of results:
    https://imgur.com/DpH101S

    ================
    My thanks to the following sites for making these malware samples available:
    www.kernelmode.info
    www.virusign.com
    github.com/ytisf/theZoo
    gist.github.com/vulnersCom
    YouTube User: Def: https://www.youtube.com/watch?v=_A2zBtCsiKI
    ================
     
    Last edited: Oct 12, 2020
  15. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,585
    Location:
    South Wales, UK
    Nice info...kudos...:thumb:
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
    Thanks for the test results, better late than never LOL. And how come most of the tools failed to block NotPetya, did you report this to them? Actually, I now see AppCheck failed to protect on a Windows 7 system, what's the difference?
     
  17. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,515
    Location:
    Paris
    CJ- Although AppCheck is a nice app and it is fun to watch encrypted files being (mostly) restored. Also impressive is the ability to catch ransomware that will drop spawn and autorun upon Windows reboot.

    But please note that it is not proof against all forms of ransomware. Your results may have been a bit different by running things that utilize untypical mechanisms like Troldesh, Locky Assassin, MirCop. and various LoLbin ransomware.
     
  18. CJ7168

    CJ7168 Registered Member

    Joined:
    Jun 17, 2015
    Posts:
    8
    Location:
    Ireland
    You're welcome Baldrick.

    @Rasheed187:
    Most of the tools either didn't detect NotPetya or would would detect it but upon rebooting the system; the system would either display the black and red text ransom note before Windows booted or the system would simply not boot; displaying just a blank screen. Where the system wouldn't boot I still marked it as a fail. While using the Windows Recovery Environment along with the following commands would make the system bootable again; not all users are going to know to do this.

    Bootrec.exe /FixMbr
    Bootrec.exe /FixBoot
    Bootrec.exe /RebuildBcd

    I didn't report this to each of the tool vendor; I just didn't have the time. What started out as some research on which product was the best for my needs, quickly took up hours of my time documenting results and setting up repeatable tests of each ransomware sample.

    AppCheck like many other of the tools didn't protect on Windows 7 since the system was unbootable upon restarting. As I said above, I marked that as a fail even though a technical user can recover from it. I admit this approach may be unfair.

    Agreed, AppCheck is an excellent app. You're absolutely right; its not perfect against all ransomware. I admit my results are a point in time snapshot of some ransomware samples and do not necessarily represent all samples past, current and future.

    I'm currently not aware of the mechanisms you listed but I will research them since I like this area of ransomware research.

    Thanks again everyone.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    This won't work for NotPetrya. NotPetya also encrypts the MFT rendering all your files useless.

    Ref.: https://www.crowdstrike.com/blog/pe...e-encryption-mft-encryption-credential-theft/

    https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

    There appear to be some backup utilities that can backup the MFT separately. Other than that, your only recourse is to restore from a full image backup. Also restoring the MFT is questionable since it is constantly being updated. Anything installed after the MFT backup would still exist and would reference files that would not exist in the MFT or have been physically moved from locations shown in the MFT after restoration. Ref.: https://hetmanrecovery.com/recovery_news/ntfs-file-system-structure.htm

    -EDIT- I should add that minor MFT corruption can be repaired using chkdsk: https://www.stellarinfo.com/blog/fix-corrupt-master-file-table-error/ which I believe would not work when the entire MFT is encrypted.

    The next method to deploy would be:
    https://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair

    I believe NotPetrya also encrypted MFT mirror backup file.
     
    Last edited: Oct 13, 2020
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
    OK thanks, but this only happened on Windows 7 if I understood correctly, when it came to AppCheck. It's a bit weird because AppCheck does protect against MBR modification.

    So you're saying that AppCheck fails against these ransomware variants? Luckily I block automatic running of LOLBins via EXE Radar so this should cover it I assume.

    https://lolbas-project.github.io
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
    BTW, cruelsister can you take another look at NeuShield, would you recommend it?

    https://www.neushield.com
     
  22. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,515
    Location:
    Paris
    Hi Rasheed! I took NeuShield Data Sentinel (free) for a quick dance and consider it quite nice for what it is. For those not familiar with this product, they state:

    "does more than just detecting and blocking ransomware attacks. We’re the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup. Data Sentinel uses Mirror Shielding™ to protect files ensuring that you can instantly recover your important data from any ransomware attack."

    Upon installation (which was done on a system with the bare minimum of resources, mimicking the biggest piece of junk one can imagine) the main application as well as a Service were created, neither of which were memory/CPU intensive. No tweaking of any sort was needed (nor possible).

    The protection is specific for the usual suspects (the Folders- Documents, Music, Pictures, Desktop, Contacts, Games, Videos). Upon running diverse ransomware, although encryption occurred (remember this is not an anti-ransomware application), all files were able to be restored by opening up the GUI and clicking Revert for each of the folders and all the encypted items were deleted. The exception to this was some files (esp. executables) that were trashed by the malware were put into the Trash bin upon reverting (not a big deal).

    NeuShield does also have intrinsic protection against ransomware that mess with the MBR and this works well and prevents such manipulation. Unlike the Home and Biz versions, the free version does not have the ability to restore Windows System files, and although they say that all versions have: "Boot Protection Prevents ransomware from making your system unable to boot" I can assure you that it did not work against a little cuties that I coded especially to test this.

    Finally, it is important to note that NeuShield will NOT protect files in Folders outside of those that I listed above, so this can be problematic with Fortress Class malware (those that will trash files of any type anywhere).

    But other than that a rather interesting application that will coexist nicely with other security apps if one feels that their current setup may be lacking.

    m
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,360
    Location:
    The Netherlands
    Thanks for the review, I really appreciate it. So from what I understood it doesn't actually try to stop ransomware from encrypting files, but it's basically a file recovery tool. I'm not sure what to think of it, perhaps it can be used as an extra layer on top. But it also doesn't protect all folders, that's a bit weird.
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,515
    Location:
    Paris
    R- To clarify, NeuSield is in no way an anti-ransomware application at all. Any malicious file that can encrypt will encrypt. However those files that are encrypted can be restored as long as they are in the specific protected folders. This is not uncommon for such protection modalities and can leave one with a false sense of security.

    Personally when I test such things I will create an odd directory (like C:\1) and plop some files that are normally victimized in it (doc, jpg, txt) to check if they are encrypted and if they can be restored. So with NeuShield a photo of your dearly departed GrandMother can be restored if it was encrypted within the "My Photos" directory, but will be lost if you happen to save it in the "C:\Granny's Photos" directory.

    But NeuShield still will be of value if a systems primary malware defense is sub-optimal against encryptors. As an example (and sadly a hot topic on Wilders) is SpyShelter. Although SS will not protect (free or paid) from the likes of Killar, Maze or Xdata, with NS also installed trashed files can be restored.

    M
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,037
    Location:
    Europe
    Are you saying Spyshelter should not be used because it's ineffective?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.