RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    What Is RansomOff?

    RansomOff is a free, signature-less, endpoint security solution designed to do one thing; stop ransomware dead in its tracks.

    Signature-less Protection Against Any Threat

    Because RansomOff is completely signature-less, the underlying ransomware family is irrelevant. No level of code obfuscation is enough to prevent RansomOff from detecting and stopping ransomware before it has a chance to cause damage.

    https://www.ransomoff.com/

    not tested by myself.but seems good
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,400
    Location:
    U.S.A.
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,213
    Location:
    Paris
    Give it time to mature (a lot of time...).
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Any feedback yet either way?

    I D/L it and usually test these "without" SD so as to get a full effect feel of just how stable or not it is fresh out of the beta box.

    System is not a production platform but security testing grid for just these things.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Can you give some more info? Does it protect all partitions and does it successfully blocks the most popular ransomware?
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,213
    Location:
    Paris
    I really have to wait until the next build comes out to be fair. If you go to their website and attempt a download you will see: "We are making a few changes. Please check back often".

    So as soon as the new build comes out (as long as it actually can be installed properly, something with which there have been major issues for Win 7/8/10) I will add it to my current Ransomware series.
     
  7. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    513
    Location:
    U.S. Citizen
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Looking forward to the tests.
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,213
    Location:
    Paris
    Done. When viewing remember that as RansomOff is still in Beta, I was trying to be helpful and not mean.
     
  11. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    Hi @Rasheed187, I'm the author of RansomOff. Right now the MBR protection is per drive, not per partition. So if you have multiple partitions on a single physical disk, only the first one will be protected. However, we are currently looking into adding multi-partition protection.
     
  12. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    24,555
    Location:
    U.S.A.
    HeiDef, welcome to Wilders!
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Welcome to the forum HeiDef!

    Thanks for being here.
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    Thanks. Hope we can add value to this forum.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Thanks for the info. But to clarify, I wasn't really talking about the MBR protection, but most ransomware variants try to encrypt files on all partitions, so does RansomOff protect against this? And can you perhaps make a list of the ransomware that it will currently block? Also, I don't expect a 100% succesrate with these kind of tools.

    It failed against which sample exactly? And what about other samples, did it successfully block those?
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    @HeiDef - Can you brief us on what separates your program the most from others developed lately in this ever growing battle on ransomware with it's encrypt techniques?
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,198
    Here in is the real weakness of all of this software. Anything less then 100% is failure. And in some cases even 100% may be failure if you machine is left infected.
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    Got it. Yes RansomOff protects all lettered drives which includes fixed, removable and networked.

    RansomOff does not use signatures so it is agnostic to ransomware families or variants. Packing and other code obfuscation has no impact on RansomOff's detection. It's strictly behavior based. Thanks to folks like @cruelsister and others over at malwaretips, we've been refining the detection heuristics to make sure it provides as complete coverage as possible. Admittedly it does throw false positives every now and again, as seen with SeaMonkey in @cruelsister's latest video but that's a small price to pay if it blocks actual ransomware. And that's part of the reason we built in an exemption list to handle those situations.

    We don't have a list of every family and variant it can block but it is highly effective against a wide range of families. It did very well with Evjl Rain's initial test over at malwaretips and the issues identified with that have since been fixed. @cruelsister threw some awesome samples at it and again, we've been refining to make sure our heuristics cover these behaviors. We'll be releasing a new build later tonight that fixes script based attack such as RAA which failed in that test.

    All in all, if you really want to get a sense of its effectiveness I suggest open a VM and start throwing ransomware at it. Your feedback will be much appreciated as we develop RansomOff and eventually get it out of beta.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,198
    Do you have a download link for latest beta?
     
  20. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    The nice thing about ransomware (if you can say that) is that the behaviors that can be observed are generally very distinct from normal software operations (in most cases). Therefore, to identify potential ransomware you look for certain file operation patterns. This is the basis for any signature-less anti-ransomware solution. The differentiator is how that observation and subsequent identification occur.

    We haven't examined how other anti-ransomware solutions work so it's tough to say exactly how RansomOff is different than others. But RansomOff implements a number of detection strategies, from deception to malware modeling, to identify these patterns and behaviors. Some strategies are more effective than others but taken together can be highly reliable in identifying bad behavior.

    Besides that, RansomOff is also free and most that contain MBR protection have a cost to it.
     
  21. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,885
    A fresh beta of RansomOff (v5.2017.97.7576 - timestamp April 07, 2017) is available there:
    Edit: a newer beta-version will be published soon.
    Edit 2: RansomOff (v5.2017.98.6378) (Beta) - #27
     
    Last edited: Apr 9, 2017
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    We haven't uploaded it yet. It's going through final regression testing now. Hopefully in the next hour or so. We'll post a notice once we do.
     
  23. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    That's from yesterday. The new version will be 5.2017.98 or 99 (depending on when it's finished).xxxx.
     
  24. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    265
    Location:
    Philadelphia
    Not always. Some files are more consequential than others. Losing a few temp files or files in the recycle bin before a detection heuristic kicks in might not be that big of a deal. Obviously it is situational dependent.

    But there is nothing in the world in any space or area that can guarantee 100% of anything. There are always black swans events or other outliers that completely destroy all previously held assumptions. We don't claim to provide 100% protection. Anyone in the security business long enough knows that just sets you up to look like a fool later on.
     
  25. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,885
    Ok, good to know :thumb:
    For example AppCheck. The option "Protect MBR" is not available in the free version.