RansomFree by Cybereason

Discussion in 'other anti-malware software' started by Blackcat, Dec 19, 2016.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,635
    I think so.
    But if you don't have the honeypot files on it, the "main detection method" doesn't work for this stick.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I really don't like this honeypot thing. Whether the file is hidden or not, it's sucking up lots of space.

    Can some one explain the concept?
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    4,614
    Location:
    DC Metro Area
    Peter:) From reading your earlier posts in this thread, I believe you are not asking what he concept is, but rather are questioning it's validity. But FWIW:

    The concept is that the honeypot folder names start with characters like ~ or ! . The concept, which my be flawed, is that because they are low on the ASCII table they will be scanned first by ransomware. RansomFree monitors these files, and whenever they change, it detects the originating process and pauses it. At this stage, RansomFree also shows a prompt, asking the user if he wants to stop the source process, or allow it to continue to execute.

    The possible flaw in the concept, at least according to Fabian Wosar of Emsisoft ,in an earler post in this thread, is that "... several high-profile [ransomeware] families don't encrypt files in the order they appear on disk, but the order they are deemed most valuable by the ransomware author and that whole narrative falls apart at that point."

    <a href="https://www.wilderssecurity.com/threads/ransomfree-by-cybereason.390786/#post-2639605">RansomFree by Cybereason</a>

    It is not clear to me from the Cybereason Website whether or not the product includes any other "behaviorial analysis" component.
     
    Last edited: Dec 26, 2016
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    'As you guessed, our main detection method is indeed honeypot files and directories, which have a random element. We also have several other detection methods."

    taken from post #115.
    doesn't say what the other methods are though.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks guys. What you have done is convinced me it's a terrible concept. And frankly when Fabian speaks on Ransomware, I listen.

    I have been testing, and I want to do a bit more, but I am becoming convinced that the need for specialty ransom protecting software is getting close to zero.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I believe the "honeypot directories/files" are scattered through the HDD; hence the large disk usage involved. I suspect the are created primarily in directories that ransomware targets like %LocalAppData%\Documents, Pictures, and the like. I also suspect this is the issue with secondary partitions/drives. Although members posted screen shots of honeypot directories created in the root directory of their secondary partitions/drive, I don't know if any honeypots were created in the non-root directories. In any case, the honeypots have strange names with the "~" leading character names being easy to spot by ransomware. Does anyone have legit directory names that begin with "~"?

    Anyone using a HIPS can just create the same files hopefully with a bit more creativity in the naming of same. Then just create a HIPS rule to detect any write activity against the files. Better yet, just create HIPS rules to monitor write activity to %LocalAppData%\Documents, Pictures, and the like. After all, it's not like these files in these directories are being constantly updated ..........
     
  7. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    598
    Location:
    Far East
    Hi

    Want to feedback on v2.1.1.0

    After installing it on my MS Surface Pro 4 the fan keeps on spinning non-stop and my battery drains very rapidly. I then uninstalled it and the fan spinning stops.

    Please look into this. Thanks
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,577
    Location:
    The Netherlands
    I would also like to know what other behavioral monitors this product is using, because when it doesn't see any activity with the honey pot files, it seems to be blind, this is what needs to be improved. This tool definitely has potential.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In thought I feel the honeypot approach is very dangerous.

    Question for URI. Would you install it on your critical business systems without any of your other other endpoint security. I suspect not.
     
  10. guest

    guest Guest

    Of course not, is not intended to replace an AM. So?
     
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,635
    A new version has been released: 2.1.2.0
    Code:
    Cybereason RansomFree 2.1.2.0 (timestamp: 2017-01-01)
    https://ransomfree.cybereason.com/download/
    or:
    https://ransomfreedownload.cybereason.com/CybereasonRansomFree.msi
    
     
  12. guest

    guest Guest

    Is the changelog available?
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,635
    I can't find one
    According to the Q&A, removable media is not protected:
    ----
    Suspect files will be uploaded to their servers:
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Does it still use honeypots?
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Haven't tried. But looking at the version change, it is a minor update. Hence I believe they still using them, for sure.
     
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    4,614
    Location:
    DC Metro Area
    Yesterday I got a RED MALWARE/SUSPICIOUS BEHAVIOR WARNING pop-up from EMIS 12's behavior blocker, with a recommendation of "Quarantine" that:

    "Cybereason RansomFree is trying to install (I think it was a file) invisibly"

    I didn't know that Cybereason RansomFree did that. It was not a typicall full update and was the first time I had seen that.

    Kinda freeked me out.

    [Yeah I am aware that EMIS is not FP-Free.]

    I Quarantined it because I was not comfortable with it. I then uninstalled Cybereason RansomFree because it was not clear to me what info Cybereason RansomFree was transferring back and forth to and from its servers.

    Subsequently, for an unrelated reason, I did a system restore to a point several hours before that occurrence. After the same version of Cybereason RansomFree (v 2.1.2.0) was again back on my system I have not gotten the same attempt to install invisibly by Cybereason RansomFree. Seems kinda strange. Emsisoft had not whitelisted it in the interim and it is still listed as "unknwon."
     
    Last edited: Jan 3, 2017
  17. guest

    guest Guest

    Probably it was trying to setup one of the hidden honey pots it uses, or it was trying to update itself.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,430
    Location:
    Paris
    I had time so I tried the new version and as you imagine it's Brand New Same Old Stuff. The issue with the product is not only the Honeypot model, but where the Honeypots are placed (it's important!). For example consider DeriaCrypt (the successor to DeriaLocker- nobody has renamed it yet except me). Deria will first look to encrypt the Users directory first, only after this will then seek out other stuff on the drive. So if the honeypots are not located within the users space you are pretty much screwed. That was my theory, anyway.

    In practice when DeriaCrypt is run on a RansomFree system it does indeed trash the Users space (Docs, mp3's 7Z's, exe's etc) within seconds; it then takes about 15-20 seconds to get to the Honeypots on the C drive where RansomFree finally detects and stops it without further damage. But you valuables are long since toast, so who really cares?
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    CS I have seen a lot of software you have tested but am wondering if you have tested appguard as of yet?

    sorry for off topic.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    That is shocking!

    By default; Documents, Pictures, Downloads, and Video folders are stored in the each User's directory. I also have always assumed this would be indeed the first place ransomware would begin its encryption activities.
     
  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    A Waterloo disaster, caused by a flawed design.
    That was to be expected.

    I'd like to see an updated review by CS, about HMP.A
    I guess HMP.A will do it right.
     
    Last edited: Jan 3, 2017
  22. guest

    guest Guest

    All this is based on your expectations or have you actually test it against dariacrypt?
     
  23. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,430
    Location:
    Paris
    I thought that was clear- Yes, it was my expectation that such a bypass could occur and one I confirmed by running DeriaCrypt which acts in the way that was needed for this confirmation.
     
  24. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    Links to so called "youtesters" are not allowed on wilders forum....

    Anyway, if you like to watch the very interesting and competitive reviews of Cruelsister, search y-tube for cruelsister1

    Get your kicks there!
     
  25. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    4,614
    Location:
    DC Metro Area
    @UriCybereason :)

    What is the "data" that Cybereason RansomFree downloads invisibly to a user's PC between new versions o_Oo_O?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.