Free Ant-Ransomware

Discussion in 'other anti-malware software' started by TerryWood, Jul 16, 2020.

  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    887
    Hi @ Wilders

    I am looking for a Free anti ransomware. My preference would have been for Malwarebytes A/R Beta, but apparently it cannot be installed alongside Malwarebytes Anti Malware Free.

    Could some kind, knowledgeable person help me by suggesting an Anti Ransomware (Free) package of repute.

    Thank you

    Terry
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,595
    Location:
    Slovenia
    I've used Kaspersky Anti Ransomware in past and liked it. You can check it here: https://www.kaspersky.com/anti-ransomware-tool

    They also have interactive web version on that site which you can use to check out it's features and interface.
     
  3. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    229
    Location:
    Bulgaria
  4. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    71
    Location:
    Poland
  5. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,647
    Location:
    Nebraska, USA
    You don't need a separate anti-ransomware program. Ransomware is just another type of malware. So any decent anti-malware solution will look for and block it. Don't listen to the "marketing" hype that says you need a separate program. It ain't true!

    I use Microsoft Defender (formally Windows Defender) on all our systems here. But again, any decent anti-malware solution, along with any current browser, and good user discipline will do.

    What you need to do is make sure your operating system and your security program are kept updated. Then you need to avoid risky behavior. That is, don't visit illegal pornography or gambling sites. Don't partake in illegal filesharing. And most importantly, don't be "click-happy" on unsolicited downloads, links, attachments and popups.

    Note that by far, most malware infections, including ransomware, occur by the user, ALWAYS the weakest link in security, being tricked into clicking on something that then lets the malware in. So user discipline is essential - and this is regardless your anti-malware solution of choice. If you get an email from your bank and you did not initiate the email exchange with the band, DO NOT click on any link in that unsolicited email. Instead, visit your bank directly via your normal methods and bank URL address. Same with any email that comes "out of the blue" (unsolicited) that wants you to follow some link. Just delete the email.

    I do recommend everyone have a secondary scanner on hand just to make sure the primary scanner (regardless which one) or you, the user, did not let something slip by. And I recommend Malwarebytes for that.

    Last, make sure you use unique passwords for all your important sites (use a password manager - don't write them down). Change the default passwords and passphrases for your router and wifi access and set good strong, hard to guess ones.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,784
    Location:
    USA
    I'm going to mostly agree with Bill here, but add that on top of all of that I do daily incremental images. Keep them stored offline and/or create them with an account that is separate and only for that so nothing else has write access to them.
     
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,647
    Location:
    Nebraska, USA
    Yes - having a good, robust backup plan, and using it, is always essential. But I will add again that that is regardless your security solution of choice.

    But since mentioned, I will expand on that. A good, robust backup plan involves keeping "multiple" backups with at least one being "off-site". That off-site location can be the cloud, at a friend's or relative's house, or in a bank safe deposit box.

    Keeping the only backup(s) on an external drive that sits on your computer desk will NOT protect you if your house burns down, is flooded, blown away by a tornado or hurricane, or if a bad guy breaks into your home and steals your computer and your backup drive too.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,085
    Location:
    Under a bushel ...
    +1 for AppCheck. Updates regularly, silent - no issues. But I have never encountered ransomware, and would regard AppCheck really as a warning system.

    Image backups (Macrium Reflect) and also folder / file backups (Bvckup 2), protected by Heilig Defense (developer also of shelved RansomOff) Folderfication, or Excubit's Pumpernickel if you are comfortable without GUI, then copied (with Bvckup 2) and kept offline is the best, if not only, real solution.
    (All italicised softs highly recommended; MR also has its own optional Image Guardian protection, but I prefer using Folderfication, as I want to protect all my connected backups, not just images).

    Edit: Apologies, only MR and I think Pumpernickel (FIDES) have limited free versions.
     
    Last edited: Jul 18, 2020
  9. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    887
    Hi @ Everyone

    Thanks for the information, very useful. Keep them coming. I learn something every time.

    Terry
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,923
    Location:
    The Netherlands
    I would also advice AppCheck, it's very stable and hardly uses any resources. Make sure to disable the anti-exploit component, because I believe you are already using MBAE. It's true that a good AV like Win Defender should be able to block at least 99% of all ransomware, but you never know when it might fail. Better be safe than sorry. :thumb:

    I always remind myself of the infamous CCleaner attack in 2017, hackers could have easily spread ransomware on millions of machines if they wanted to. It's likely that a dedicated anti-ransomware tool would have done a better job in detecting this than for example Win Defender, especially if zero-day malware is involved. Chances that such a sophisticated attack would ever happen to Piriform/Avast? Slim to none, yet it did happen, if you catch my drift. But yeah, making back ups is very important, I should do it more often.

    https://www.helpnetsecurity.com/2017/09/18/hackers-backdoored-ccleaner/
     
  11. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,458
    Location:
    Paris
    When considering a dedicated anti-ransomware solution, please keep in mind that the new wave in ransomware coding has become more complex but at the same time a great deal simpler by the incorporation of LoLBins. Depending on how these would be coded, a fast encryption variant could be (and has been) created that would overwhelm the protection afforded by AppCheck.
     
  12. RangerDanger

    RangerDanger Registered Member

    Joined:
    Apr 30, 2018
    Posts:
    100
    Location:
    Boston
    Contrary to popular belief average computer users are not under attack by anything.How many do you know that know nothing about computers and get taken down by an attack of any kind?
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,647
    Location:
    Nebraska, USA
    ^^^THIS^^^

    How true! And this is due in very large part because, starting with W8, and even more so in W10, Windows (with its built in security AND auto-update features) is much more secure and harder to hack than previous versions of Windows. Additionally, users are getting more "security aware". For these reasons, hackers have been concentrating more and more on corporate/government/organization networks.

    When it comes to home computers these days, it is extremely difficult for bad guys to use brute force to get in. So instead, they rely on socially engineered methods of malware distribution. That is, they rely on the gullibility of humans by tricking them to click on unsolicited links, attachments, popups and downloads. That is, they put on a pretty face in the hopes the user will open the door and invite the bad guy in. So don't be "click-happy". Keep Windows and your security current.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,085
    Location:
    Under a bushel ...
    Thanks for the heads up @cruelsister.

    Not strictly anti-ransomware, but a test by you of new Folderfication (vs. Pumpernickel (FIDES), for example) would be interesting?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,923
    Location:
    The Netherlands
    No surprise, not even dedicated anti-ransomware tools can provide 100% security. Hopefully they will add protection against so called LOLBins. AV remains most important of course, but an extra lock on the door is always nice to have. :thumb:

    Yes, I think we can all agree on that. But that's why I used the CCleaner attack as an example. Lucky that the hackers weren't interested in home users, but they could have spread ransomware or any other malware on millions of PC's. If they used "zero day" file-less malware, it's likely that AV's would have missed that, they couldn't even spot the backdoor LOL.

    But tools like HMPA and AppCheck are purely based on behavioral monitoring, so in theory they should be able to block even "zero day" malware that is trying to rapidly modify files in a certain way. I believe that's what certain people don't understand, there is a difference between blacklisting and behavior blocking.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,008
    Location:
    U.S.A.
    Ransomware have bypassed both; i.e. HMPA in the form of Sophos Intercept-X. Add to this that HMPA can be troublesome for non-technical users.

    This is not to say both are excellent products. What is being said is nothing security-wise is "bullet proof."

    Actually Kaspersky via its System Watcher monitoring is also very good at detecting ransomware activity after a few files have been encrypted and will auto rollback those files to their original copies. On the other hand, you have to live with the system overhead impacts of running System Watcher constantly.

    In reality, you're best protection against ransonware is frequent backups of your files to media that is protected against being accesses by ransomware.

    Finally unless your a commercial installation, the odds of you being nailed by ransomware are quite low. Lastly and still constantly being ignored is 90%+ of all malware including ransomware is e-mail based. Therefore that is the area that should have security emphasis.
     
    Last edited: Jul 18, 2020
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,008
    Location:
    U.S.A.
    As an example of not being bullet proof against ransomware is this Win EFS vulnerability published earlier this year: https://safebreach.com/Post/EFS-Ransomware .

    To begin, Win 10 Home users could not be affected since EFS is disabled on those versions. Also Microsoft did eventually patch this vulnerability.

    Of note however is the POC author did notify all major AV vendors about the vulnerability and it appears only a few anti-ransomware vendors. This brings up the question of if anti-ransomware vendors not notified were aware of the vulnerability and issued advisories on mitigation measures.
     
  18. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    199
    Location:
    USA
    While I was setting up my new Win10 Pro 1909 system from an OEI DVD in February, I noticed these connections and wasn't too pleased with that.
    GW-lsass.jpg
    EFS was Manual (Triggered start) in Services, so I disabled that as well as blocking lsass.exe in the firewall.

    Just to be sure...
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,008
    Location:
    U.S.A.
    This would not have stopped the EFS ramsomware POC.

    The POC programmatically deployed API's used by EFS. Security products behavioral analysis would have whitelisted these API since EFS is a legit Windows encryption method. Assumed is Microsoft patched this by "tightening" up access to them.

    It still stands the best way to prevent EFS abuse is to permanently disable it via noted registry methods if the feature is not used. This in effect equals what exists in the Win Home versions where EFS is not included.

    Also, this type of abuse is not limited to EFS. A POC for BitLocker was demonstrated here: https://www.blackhillsinfosec.com/bitlocker-ransomware-using-bitlocker-for-nefarious-reasons/ . However, Admin privileges are required for this one.

    I will say that one of the best bypasses of AV/anti-ransomware software was demonstated here: https://www.nyotron.com/collateral/RIPlace-report_compressed-3.pdf
     
    Last edited: Jul 24, 2020
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,923
    Location:
    The Netherlands
    Yes exactly, there is no such thing as 100% security. But what I was trying to explain is that not all AV's will detect "rapid file modification" once malware is already running in memory.

    For example, Kaspersky and Malwarebytes Premium do monitor this, but I believe that Win Defender does not, eventhough it does feature a behavior blocker. So tools like AppCheck fill in this gap in case AV fails.

    Actually, feel free to correct me, because it's still not clear to me what exactly Win Defender will monitor. And of course, Win 10 offers "Controlled Folder Access" but it doesn't protect all folders automatically and it's also not fool proof.

    https://docs.microsoft.com/en-us/wi...osoft-defender-atp/client-behavioral-blocking
    https://www.bleepingcomputer.com/ne...led-folder-access-anti-ransomware-protection/
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,008
    Location:
    U.S.A.
    Most dedicated anti-ransomware solutions use "bait" files randomly distributed in user directories targeted by ransomware. Many ransomware employ anti-evasion tactics to defeat the rapid file detection you also mentioned. In other words, ransomware will also encrypt files in a random order and never many in physical sequential order within a directory.

    The effectiveness of an anti-ransomware solution using bait files depends how closely the random distribution of those match like file encryption distribution being employed.

    Bottom line - ransomware and its detection are a constant "cat and mouse game." As such, security products "behavior" detection really is a bunch of bunk. Your best protection against ransomware is preventing its delivery mechanism from running it. A file backup strategy must be developed and "religiously" followed for corps.. It is not a question of if you will be attacked by ransomware but when.
     
    Last edited: Jul 26, 2020
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,923
    Location:
    The Netherlands
    Actually, I believe RansomFree uses the bait approach but tools like AppCheck and HMPA do not. But what I was trying to explain is that at least in theory they should do a better job in detecting a file-less ransomware attack. For example, hackers could have used CCleaner to load ransomware without even having to download files to disk.

    A good behavior monitoring tool would not care if ccleaner.exe or explorer.exe is performing the file encryption, they would see there is something wrong, while certain AV's would likely be fooled because these are trusted processes. Actually this isn't just theory, MRG Effitas has tested Win Defender against file-less malware triggered by exploits in the past, and it didn't do too well.

    https://www.pcmag.com/reviews/cybereason-ransomfree
     
  23. boombastik

    boombastik Registered Member

    Joined:
    Oct 7, 2010
    Posts:
    258
    Location:
    Greece
    I use windows defender and app-check.
    It has ransomware protection, boot mbr-gpt protection and exploit protection (no office) for free.
    I use it in above five pc with zero bugs. Also the detection rate is very good.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.