RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,021
    Location:
    Christchurch, UK
    A new antiransomsomware product; https://ransomfree.cybereason.com/

     
    Last edited by a moderator: Dec 19, 2016
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,493
    BlackKat, have not seen you around for a while. where you been hiding?

    anyway the website is very pretty. have you tried this program out?
     
  3. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,021
    Location:
    Christchurch, UK
    @boredog
    enjoying retirement.

    Trying it out now. Lightweight but I will leave it to the experts to see how effective it is.
     

    Attached Files:

  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,493
    I retired in june myself so have way too much time on my hands now. you most likely don't remember me by my current username but I can tell you I was here in the 90's on dialup even if my original profile show me joining 2002.
    I just installed it in shadow defender and will see how it goes. sounds like they managed to get a bunch of funding.

    http://fortune.com/2015/10/13/cybereason-softbank-raise/

    would be nice to see cruelsister test this one out. we tried to get her to test cylance but no go.

    "The software gathers usage data across a computer network and cross-checks that activity to discover deviations from the norm. If enough suspicious boxes are checked, Cybereason raises a flag."

    I just wonder what they mean by usage data?
     
    Last edited: Dec 19, 2016
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,021
    Location:
    Christchurch, UK
    Agree.

    Or RejZoR now that he is over at MalwareTips testing antimalware programs recently.
     
  6. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,394
    Location:
    Hollow Earth - Telos
    Demo: Cybereason RansomFree blocks ransomware from encrypting files
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,005
    They seemed to have forgotten that machines can have more then one drive. My VM has to disk drives, with folder of identical files. The c: drive files were protected, but all the e: drive files were encrypted. Tested two samples with same results. Plus it said if there was a warning about encryption that would have to be cleaned manually. They have a long way to go.
     
  8. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    8,903
    Location:
    England
  9. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,074
    Location:
    UK
    New software, I'm sure it will develop, I doubt Emsisoft was the perfect faultless AV on first release.
     
  10. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    834
    Location:
    Germany
    Actually, that comment was more about the common narrative that it is somehow okay if just a few documents are encrypted. A whole bunch of products have this flaw. Yes, if it encrypts some random files, you may get lucky and it hits some files that are useless to you and everything is fine and dandy. But several high-profile families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author and that whole narrative falls apart at that point.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,005
    On this I disagree. It was clear to me that they never thought to test on a system with multiple drives. And I totally agree with Fabian. Any system that accepts a few encrypted files is flawed.
     
  12. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,074
    Location:
    UK
    Hopefully cruelsister will test it, I'll await her more respected thoughts :)
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,991
    Location:
    U.S.A.
    From the BleepingComputer link Stapp posted previously:

    According to a test performed by Bleeping Computer's Lawrence Abrams, under the hood RansomFree works by creating randomly-named folders throughout the filesystem that act as honeypots.

    These folder names start with characters like ~ or ! because they are low on the ASCII table and thus will be scanned first by ransomware.
    I am fairly confident that by now ransomware developers have analyzed and identified honeypot file characteristics and are bypassing them.
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,166
    Location:
    Paris
    Club- I have one done, just have to upload it. My apology in advance for the length.
     
  15. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    500
    Location:
    Croatia
    One question for you CS, did you add 2nd drive/partition in your test?

    Can't wait to see it.
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,166
    Location:
    Paris
    No- I didn't see the need. Although the first place I would look is outside of the User space (which I've done on occasion); some products (Group Policy based) will only protect Personal Folders while leaving other things in other places wide open to be screwed with. But only if a given product provides perfect protection for Documents. Photos, etc is there a need to look elsewhere (was that a Spoiler Alert?).
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,005
    Hi CS

    In this case you might want to. I always look to all partitions as I have 3 internal drives. So I tested in a VM with 2 drives, 2 identical folders on each one. The C: drive was protected, while the 2nd drive's files were all encrypted. That's a flunko_O

    Pete
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,991
    Location:
    U.S.A.
    Cybereason web site clearly states that they not only protect local but also network/shared drives:

    Protection From an Array of Ransomware Attacks

    RansomFree protects against local encryption as well as the encryption of files on network or shared drives. The encryption of shared files is among the doomsday scenarios an organization can imagine. It takes only one employee on the network to execute ransomware and affect the entire company.
    Software appears to be "not ready for prime time" anti-ransomware protection.
     
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,166
    Location:
    Paris
    Peter- Files getting messed up elsewhere (other than Users) is actually pretty common. But often there is no need to dwell on this as such products must first protect the prime targets of ransomware- and for me the product must prove it could walk before I care to see if it could run (if you catch my drift).

    Itman- The company does need to mature in a number of areas. I'm surprised SoftBank threw them the cash in the Series C round last year. They certainly weren't going to get it from us.
     
  20. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,074
    Location:
    UK
    Are these honeypots necessarily the same on all computers, or are they randomly created for each installation?
     
  21. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    500
    Location:
    Croatia
    Just tested with Cerber.
    Created 2nd partition and add same folder and files inside like the one on the desktop.
    Files are:
    • jpg
    • png
    • excel
    • pdf
    • word
    • txt
    Files on Z: drive are encrypted

    Clipboard01.jpg
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,991
    Location:
    U.S.A.
    Appears the company's other products are highly rated as noted here: https://www.cybereason.com/cybereason-earns-perfect-scores-in-sc-magazine-review/

    I suspected this freebee anti-ransomware offering is more of a publicity thing to get a lot of free security press for the company. It is probably fair to say as time goes by and with a lot of free debug labor from end users that will ensue, the product will improve. Like I said previously, it just presently is not ready for "prime time" anti-ransomware protection.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,005
    well frankly the results I got that djigi confirmed, just tells me it's not yet a product. Everything else I've tested protects all the disks.
     
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,585
    I agree. It should protect all disks, not only Documents\Pictures located on C:
    Some work is still needed.