RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Man that ransomware is nasty, very bad stuff.

    Turned loose with Mamba, Matrix, and some others. Ugh

    You guys deserve a huge nod in formulating something on this order to take this stuff on straight up.

    It can't possibly be the easiest of projects by looking at others efforts to formulate anti-ransom solutions.

    @all members and HeiDef.

    Would it be at all a bit more useful to place the delete/allow on auto start detections on the same corner alerts box instead of "Go To Alerts"?
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    That's doable but with it being a toast message, it's really just designed to say "hey something happened but look or click here for more info." But we can modify things a bit to maybe streamline the process. Good suggestion. Thanks.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I encounter a different result in testing ShellLocker that escaped attention (the logs were jammed with alerts REQUIRED scrolling) and on boot up for some reason it engaged as Svchost w/elevated privilege Icon :eek:

    Thinking maybe might be a bit more safer for user to cancel rogue start-up as soon as it's recognized by RansomOff SIGNAL since this is a MANUAL OPTION.

    Not sure how that drop evaded capture but ended up where it was detected in alert logs.

    What a nice new feature list BTW.
    Some personal favs that stand out on this end.

    • Added application lockdown mode with confirmation for newly executed processes.
    • Added icons to indicate folder protection status.
    • Added per-folder toggling from folder protection window and taskbar menu with reboot persistence.
    • Added removable drive awareness to folder protection.
    • Added main protection toggling from taskbar menu.
    • Added taskbar icon change to indicate status.
    • Added ability to deny, deceive and make read-only for root folders.
    • Tied startup notifications in with exemption list and added easy exemption of processes that caused the notification.
    • Added alert message filtering and cleanup.
    • Expanded self-protection mechanisms.
    • Fixed installer issue of only showing the 'Program Files' directory. <-Thanks
    • Minor bug fixes.
    • Updated documentation.
    • Many thanks to the Wilders Security and MalwareTips communities for continued feedback and support.
     
    Last edited: May 20, 2017
  4. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    93
    Location:
    The Netherlands
    I'm running Windows 10 Pro X64 1607. Security packages: Windows Defender and SecureAplus Freemium. I'm going to test it with SecureAplus disabled and let you know the results.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hang in there cloggy49.

    These guys LISTEN to issues, take them seriously, and do their dead level best to iron out conflicts that might be cause for interference.

    Pulling for you that it gets resolved soon. You're a real champ at getting at it for HeiDef to look at and possibly work out the findings and a solution for it to your satisfaction.

    We all hit issues with beta projects, some are minor, others missed, and yet others clash with some other part that stalls us out for awhile.

    But these guys really lay into it and can hopefully resolved that for you soon. Fingers crossed. It's easy to tell you're just as eager as all of us to make the most of the program to work as expected.

    Cheers.
     
  6. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    93
    Location:
    The Netherlands
    I've done some more testing with SecureAplus de-installed but I had the same results.
    I have the impression that with New Process/Exempt Windows processes, MS Edge and Outlook 2016 do start immediately, other process causes the system to hang (so much, that I had to press the Reset Button after several minutes as I could not even start the Task Manager to kill some processes).

    During my testings and necessary re-boots, I noticed that the App Lockdonw option remains enabled despite what is stated in the documentation that the settings do not resist during a reboot.

    @EASTER: no problem for me to help these guys as they do a magnificent (to mimic Trump: "they do a great, very great and fantastic") job and are extremely responsive (why don't we see this more often??) I think the App Lockdown option needs some more homework but I'm sure they figure out what is going wrong... :).
    For now, I leave that option disabled but keep using the program and don't re-install SecureAplus as I think that they will find the solution very quickly so I don't need SecureAplus anymore at all...:)
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Great work.

    FWIW I had to re-add my folder protections.
     
  8. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    ...just one small suggestion, maybe you should change icon of Lockdown with Folders icon (make more sense to me if Lockdown icon is padlock).
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting, how to spot the difference between a fake and a real explorer.exe, or is that classified information? Also, isn't it a good idea to alert only if non-system apps try to run explorer.exe and svchost.exe in suspended mode? If you block that, then I assume process hollowing can't be performed.

    The reason I ask is because way back I used a HIPS that could spot rapid file modification and deletion, but it would also give alerts when explorer.exe performed those actions, which was of course triggered by the user. The only way to solve it was to trust explorer.exe, and that's exactly what helps ransomware. And most HIPS are bad in detecting process hollowing, once the exploited and hollow process is already running.
     
  10. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    RansomOff failed against XData ransomware at MalwareTips forum - Click

    Windows 7-2017-05-20-14-17-34.png

    Containment: VMware Workstation 12.5.6 build-5528349
    Guest/OS: Windows 7 Pro x86 SP1
    Product: Heilig Defense RansomOff 5.2017.139.8295 (Beta) - Default settings
    Static: N/A
    Dynamic: 0/1 (was waiting for 2-3 minutes but still no alert from RansomOff)
    Files encrypted: Yes
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You have to be logged in to see that thread. But a bit of a bummer, I wonder why it couldn't be stopped. I mean, is there anything special about this sample? Perhaps you can also test it against HMPA and RansomFree.
     
  12. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    That's unusual. We tested against the same sample and it alerted right away.

    https://www.ransomoff.com/img/screenshots/xdata.png
    https://www.ransomoff.com/img/screenshots/xdata.png https://www.ransomoff.com/img/screenshots/xdata.png
    Obviously something we'll work on thought to figure out why his test failed.
     
  13. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I didn't test
    It was not my test.
    Looks like the CyberReason got lucky with this one, it protect the PC:

    Containment: VMware Workstation 12.5.5 build-5234757
    Guest/OS: Windows 10 Home v1703
    Product: Cybereason RansomFree 2.2.7.0
    Static: N/A
    Dynamic: 1/1
    Total: 1/1
    Files encrypted: No
    System Final Status: Clean

    Screenshot (284).png
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks. Sorry you lost your folder info though. Hopefully not too much to re-add.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Sorry again but definitely appreciate the testing and feedback. We are looking into a few things that may be causing this issue. Just quick question though. When the slowdown started, were you doing a lot of file activity things or was the CPU already under heavy load?
     
  16. cloggy49

    cloggy49 Registered Member

    Joined:
    Oct 6, 2015
    Posts:
    93
    Location:
    The Netherlands
    Actually, I wasn't doing anything but clicking on a icon to open an application...I'm now running with App Lockdown disabled and the system runs fine and is responsive (as it always was).
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    No issue at all. Was just to let you know.
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We know it wasn't but appreciate you posting and letting us know. Obviously even though our tested showed success, it's not a good thing that Evjl's Rain's test was not so we'll definitely look to see where the failure was and make changes as necessary.
     
  19. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks. We were just curious if we had a bottle neck in our processing code which could be possible under certain heavy IO conditions. But if that's not the case, back to the drawing board.
     
  20. mWave

    mWave Guest

    Well the first indicator to look at would be the file path the program is executing from... You can make a comparison to check if the process called "explorer.exe" is really executing from it's original path, and if there is more than one copy of "explorer.exe" executing then you can investigate more also. You can also verify code signing certificates in the case of explorer.exe being replaced on disk.

    If you want to block dynamic forking then you'll have to work with API hooking really and this is a con on 64-bit systems since user-mode patching methods can be easily bypassed through system calls. Hook the following functions: NtSuspendThread; NtGetContextThread; NtReadVirtualMemory; NtAllocateVirtualMemory; NtWriteVirtualMemory; NtSetContextThread; and NtResumeThread. You can also hook a function called NtUnmapViewOfSection however not all malware authors use this function, some work with manual relocation since the function doesn't even always work.

    Since RansomOff is an anti-ransomware and not a BB/HIPS system it would probably not be a good investment of their time to focus on process hollowing prevention since they don't rely on user-mode patching for their monitoring which means even if a program has been affected by process hollowing which is attempting to encrypt files, the product can (and probably will) still identify the encryption attempt regardless - plus due to KPP they cannot even securely implement such protection since if they use user-mode hooking it can be bypassed pretty simply. Unless of course they have an exclusion system for specific programs, then in that case if a trusted program was process hollowed then it'd be game over... Then again, this is a problem with firewalls even today. I guess the simple solution is to just be careful and not be click happy to avoid any problems in the first place!

    The best idea I can think of which would suit this product would be a feature that prevents programs to open handles to trusted programs if the requesting program is not also trusted. This means that if an Adobe process is trusted then it can open a handle to chrome.exe however if hello.exe or lol.exe (two programs which have not been whitelisted) attempt to open a handle to chrome.exe or explorer.exe (two trusted programs) then it will be blocked. This could be implemented via kernel-mode callbacks but even then I think it can cause confusion and might not be needed.
    ----
    @HeiDef nice updates, I might test out RansomOff soon! :) keep up the good work I like this product based on what I've seen so far :)
     
  21. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Any process can be hollowed. I think the default process for MetaSploit is to spawn a malicious notepad instance. So while explorer or svchost are the preferred they aren't the only options.

    But smart detection is all about context. It's easy to just block everything but that's not usable in a real-world environment. So if you have the right monitoring in place and can make connections between activities then you can make assumptions on the processes integrity.
     
  22. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Thanks mWave. Looking forward to seeing what you find when you start testing.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @HeiDef-Is the test which bypassed only performed with latest release? Seen this happen time and again with other beta products before.

    While XDATA may escaped (this) version, could results be different with previous Beta ones. That's why I always like to test earlier versions when new version sees a bypass.

    New functions were introduced so in the changes there might exists new gap to locate and correct.

    You guys are Developers and confidence is it will be discovered soon and fix. :)

    In mention my own post early above only (1) ByPass this latest release testing against FilecoderFV + ShellLocker which "persistence" made it (svchost.exe) aka ShellLocker spawn through reboot no Alert.

    PS: Only left a desktop full of scramble named files to fill Icon Empty Spaces, seen no other Desktop Folders affected and no tamper with files within same desktop folders.

     
  24. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Greetings/Salutations!

    Posts that I am looking back over
    218,219,224,225,250,251,253,255,257,258.

    RansomOff Documentation
    https://www.ransomoff.com/docs.php

    @HeiDef.
    Could you do a short video on how to setup RansomOff's Sandboxie, Shadow Defender, Windows Defender etc...
    From installing RansomOff's to adding the above security software.

    On updating RansomOff's do you install over the existing software? And/or do you uninstall and then reinstall?

    https://www.youtube.com/watch?v=0-IjrYNUvxk

    https://www.youtube.com/watch?v=JWDdxpUF1hA

    Kind Regards,

    Moose
     
    Last edited: May 20, 2017
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    May I offer some other clue if can be of some help.

    On my tests the Alert Window on detection experiences delay after the ransomware is already showing within Active Process List ie: Process Explorer/Process hacker etc.

    Hence my mention to earlier Hades Locker test where spawned files were capture/terminated but Hades Locker (main executable) persisted in Process List for some reason unhindered. Who knows what it is thinking to do next?

    Perhaps if can the Alert Box be made to activate and come out to the user much sooner if possible?

    Maybe GUI alert box size delaying it printing to screen for display? There is already a corner box pop up PROMPT to do with Active Windows Focus.

    Some samples once clicked seem already working in background before user sees alert to DENY ransomware process. More clever coded one's might be able to evade being SUSPENDED? I am no Developer so can only speculate to what is seen happening before Process Terminations.

    My tests were done only on Windows 10

    Hope some of these local findings might indicate areas for more study in your lab. We really like to help :)
     
    Last edited: May 20, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.