Thank You so very much HeiDef for your answer and explanation. Very looking forward to your program refinements and subsequent release soon.
We just uploaded version 5.2017.98.6378 (Beta) to our site (https://www.ransomoff.com) With this update, RansomOff now provides script based ransomware protection. We also fixed some uninstall issues that were reported as well as general bug and stability fixes.
Exactly, it might be helpful if users could suggest any security software is 100% effective as an example rather than stating the obvious
Sorry to hear you're have trouble @EASTER. It's likely you do not have the correct .NET version installed. RansomOff requires at a minimum 4.5.2. Please check to make sure you are running at least that version and let us know if you are still having problems. And from your avatar you're running Win8.1 correct? Would you let us know what architecture as well? 64 or 32 bit? Thanks.
Yep. That's the issue. Will get that puppy on board and have another try. Thanks for the rapid response on this. Running Windows 8.1 x64 EDIT: NICE GUI btw. Appreciate the simplicity of it.
If I can make a few comments: 1). In addition to MBR encryption protection Ransomoff also has MFT encryption protection (ie the petya's). 2). Not often is a developer so quick to change things in the attempt to provide maximum protection. Very often Developers will ignore criticism, or will demand detailed explanations from the critic before any action of improvement is taken. Helig actually has shown me that they have the "eyes to see" (sorry if I'm being cryptic), which is admirable. 3). It's nice when a developer actually wants people to be nasty to their product (which is right up my alley). I don't mean to start a LoveFest, but often one must call a spade a spade...
Since you asked: For my external drives: Protected by Pumpernickel(Fides). Yet to find anything to break it. For my c: drives: MZwritescanner,Appguard, SBIE and ERP AND hourly images, so C: can be restored close to any infection. Also auto backup of critical data on program close. Tested and hasn't failed.
OK thanks, sounds good to me. The reason why I accept that 100% security is not possible, is because these type of tools try to stop ransomware in stage 2, that is when files are about to get encrypted. But in stage 1 they will try to perform other things, and this can be stopped with HIPS/behavior blocker. Tools like RansomOff are the last line of defense.
That's a good way to put it although the line between stage 1 and stage 2 for a lot of ransomware is very blurry to non-existent. They just get right in and start encrypting without attempting the stealth or persistence that HIPS type software can pick up.
Thanks for keeping up to date with our releases. We just posted 5.2017.105.5336 (Beta) that fixed some stability and performance issues that were recently encountered.
Some of us do work long and strange hours but it's easier to think when everyone else is asleep. Plus we really want to make sure we get RansomOff stable and fix the issues that people have been nice enough to bring to our attention.
Not yet. The MBR protection is per physical disk. We have not extended it yet to individual partitions but are working on that.
I have never actually tested ransomware, so you're probably right. But based on what I've read, they do not always start encrypting straight away, isn't it true that most of them need outbound access and try to inject code (process hollowing)? If you block that, I believe the encryption doesn't even start, but I might be wrong. So then you do indeed need tools like RansomOff and RansomFree.
Rasheed- Ransomware may act by various mechanisms even within the same family. As a rule of thumb, those ransomware strains that come as Scriptors (JScript, VBS, etc) will need to connect to the internet to download and then run the actual encrypting payload. Some will come self-contained and will not need network access at all. As a theoretical example, just say you see a video published later today that has 9 ransomware files to be run. Although the tester may have not wanted to go into detail, only 5/9 actually had to download the payload from command. Further only 1 of 3 Cerbers acted via process hollowing as well as something like Matrix. Other types of malware will mimic stuff whose vector is maladvertising (like an hta), whereas other may need to act via an exploit like doc files. Lastly there are some ransomware strains that I personally term "Fast Encryptors" that will start to operate as soon as the file is activated. The purpose of ransomware like this being included in a test is to distinguish anti-ransomware products that hold files in abeyance before allowing them to proceed (thus stopping all file encryption) from products that will on act only when encryption process is detected. In the former case one will be totally protected; in the latter case some files (but not all) may be encrypted. So as you can see, ransomware is a very fertile ground of mechanisms, but the one thing to note- in most video reviews you may see that the tester chooses ransomware by name and not mechanism. This is a grave mistake as there are a bunch of script kiddie stuff that actually works by the exact same mechanism but will have differing ransom screens (popups) that will give the malware a name. So it's critical that one knows this as one may see 10 different names all being Brand new Same Old thing. On the other hand one may occasionally see a review done by a person both Brilliant and Beautiful where mechanisms are paramount and will highlight the various protection mechanisms afforded by a given product. Hope this overly long Post helped. M
OK thanks, so this is what HeiDef was talking about. If they immediately start to encrypt and don't have to perform other stuff then HIPS won't help if they haven't got protection against rapid file modification. So a tool like RansomOff will sure come in handy and also nice to see that the developer is trying to fix flaws and that you (CruelSister) are quite positive about it.
Speaking of Cerber, it's currently the most popular ransomware, here some more info: https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
That was a good tip from Sophos. Change the default on what opens .js files to notepad and that is the end of that. Works.