RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    Thanks Shmu, glad to hear that.

    I downloaded what was supposed to be 2.1.1.0 from Snapfiles and got 2.1.0.0. So I just now downloaded from the Cybereason website and also got 2.1.0.0.

    So I wonder if they found a problem with the update and rolled back?
     
  2. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Did you try this:

    https://www.upload.ee/files/6476885/CybereasonRansomFree.msi.html
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    the link from @Djigi worked fine for me
     
  4. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    Naw. If they removed the new version from the official site for some reason, I assume there may be a problem with it and I'm afraid to try it.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    so install the old version, then. It ain't so bad. If it automatically updates to the new version, that is the answer to your question.
     
  6. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    It's installed. :) That's how I know what version it is, I didn't see a version number on the installer. When I right click on the tray icon and tell it to check for updates nothing happens. I may need to clear it through TinyWall.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    From your screen shot, appears only some files were encrypted on your N drive. Suspect those might be the honeypot files?
     
  8. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    Added an exception for the .exe to TinyWall, still doesn't seem to do anything when I check for updates. Still shows 2.1.0.0.
     
  9. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    No, look files on left.
    All accept .exe files are encrypted.
    Honeypot files are hidden.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Because Cybereason pull back v2.1.1.0, for unknown reason.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Ok, I see it now. Ransomware encrypted .doc, .txt, etc. but left .exe, .html, etc. alone.
     
  12. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Only .exe is left.
    This html are encrypted "OSIRIS" - this is not legit file
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    4,614
    Location:
    DC Metro Area
    The installer for the new version is clearly marked with the new version number.

    Dunno if you meant you didn't look or you looked at the installer and it wasn't there :)
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    v2.1.1.0 is back on their website...

    Code:
    https://ransomfreedownload.cybereason.com/CybereasonRansomFree.msi
    Same installer checksums... :thumb:
     
  15. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Looks like it could be another Invincea,Sophos, etc. That is neither good or bad, just more or less unknown. The one thing they all have in commom is you have to sign up for a demo
     
  17. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    What I meant was that it wasn't on the name of the installer (CybereasonRansomFree.msi), and I'm not in the habit of looking at the properties unless I suspect a reason to, I just assumed I was downloading the new version and didn't find out otherwise until I installed.
     
  18. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    BTW, it is now downloading 2.1.1.0. Don't know why it seemed to be pulled for a while.

    I had to download the installer to find out, the check for update feature still doesn't seem to be doing anything for me, no indication it's even checking that I can see.
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Looks like a pre-beta soft, immature but promising, at least for me. I like the behavior monitoring approach they have developed plus its light weight light impact.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    In regards to this software failing to prevent non-boot local drives from being encrypted, I refer back to something Fabian W. posted previously:

    But several high-profile families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author
    @Djigi, do this as a test. Create your non-boot drive test folder with test files contained within prior to installing Cybereason anti-ransomware. Then install Cybereason and verify that honeypot files were created the test directory of the non-boot drive. Finally, test with the ransomware you have been using. I strongly suspect that Cybereason will now detect the ransomware on the non-boot drive.

    My gut is telling me that the ransomware is ignoring the honeypot directories created on non-boot drive. Since you previously created a test directory after Cybereason was installed, no honeypot immunization files were created in that directory enabling the ransomware to encrypt them. This test would also prove that there is a flaw in the software; it doesn't immunize newly created directories -or- perhaps a reboot is required to do so?


     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    But RansomFree does not creates honeypots within directories. Just into drives' root, afaik.

    Edit: I'm wrong. I can see honeypots within Documents folder. :cautious:
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    What you are suggesting to Djigi is exactly how I tested it. It failed. Frankly I don't like this honeypot concept. HMPA doesn't use it and it's Cryptoguard is doing a good job.
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Neither do I. Those honeypots are really big, around 400 ~ 500 MB. Now, if they are not dropped in USB sticks, like mine, and ransomware decides to encrypt those USB sticks first?
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    OK. Didn't know you tested this way.

    I agree that using file honeypots is a "brute force" solution. And an inefficient one at that with up to 2 GB of disk space wasted.

    Also worth noting is that security permissions on non-boot drives by default are very weak as noted by the below screen shot. Authenticated Users are anyone with logon capability.

    Non-Boot_Drive_Permissions2.png
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "Seems they're connected with Lockheed Martin, Cybereason seems to be a quality security software company...."

    look at my post number 4.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.