RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Thank You so very much HeiDef for your answer and explanation.

    Very looking forward to your program refinements and subsequent release soon.
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    We just uploaded version 5.2017.98.6378 (Beta) to our site (https://www.ransomoff.com)

    With this update, RansomOff now provides script based ransomware protection. We also fixed some uninstall issues that were reported as well as general bug and stability fixes.
     
  3. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    Exactly, it might be helpful if users could suggest any security software is 100% effective as an example rather than stating the obvious:rolleyes:
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    "CLICK"
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    This thing doesn't install, it just flashed a command prompt and stopped.
     
  6. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Sorry to hear you're have trouble @EASTER. It's likely you do not have the correct .NET version installed. RansomOff requires at a minimum 4.5.2. Please check to make sure you are running at least that version and let us know if you are still having problems. And from your avatar you're running Win8.1 correct? Would you let us know what architecture as well? 64 or 32 bit? Thanks.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Yep. That's the issue.

    Will get that puppy on board and have another try. Thanks for the rapid response on this.

    Running Windows 8.1 x64

    EDIT: NICE GUI btw. Appreciate the simplicity of it.
     
    Last edited: Apr 9, 2017
  8. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    If I can make a few comments:

    1). In addition to MBR encryption protection Ransomoff also has MFT encryption protection (ie the petya's).

    2). Not often is a developer so quick to change things in the attempt to provide maximum protection. Very often Developers will ignore criticism, or will demand detailed explanations from the critic before any action of improvement is taken. Helig actually has shown me that they have the "eyes to see" (sorry if I'm being cryptic), which is admirable.

    3). It's nice when a developer actually wants people to be nasty to their product (which is right up my alley).

    I don't mean to start a LoveFest, but often one must call a spade a spade...
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Since you asked:

    For my external drives: Protected by Pumpernickel(Fides). Yet to find anything to break it.
    For my c: drives: MZwritescanner,Appguard, SBIE and ERP AND hourly images, so C: can be restored close to any infection. Also auto backup of critical data on program close.

    Tested and hasn't failed.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    OK thanks, sounds good to me. The reason why I accept that 100% security is not possible, is because these type of tools try to stop ransomware in stage 2, that is when files are about to get encrypted. But in stage 1 they will try to perform other things, and this can be stopped with HIPS/behavior blocker. Tools like RansomOff are the last line of defense.
     
  11. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    That's a good way to put it although the line between stage 1 and stage 2 for a lot of ransomware is very blurry to non-existent. They just get right in and start encrypting without attempting the stealth or persistence that HIPS type software can pick up.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,787
    New beta-Release:
    RansomOff v5.2017.105.5336 (Beta)
    Edit: newer beta (14 Apr)
     
    Last edited: Apr 14, 2017
  13. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA

    Thanks for keeping up to date with our releases. We just posted 5.2017.105.5336 (Beta) that fixed some stability and performance issues that were recently encountered.
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    You guys sleep less than I do...
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Some of us do work long and strange hours but it's easier to think when everyone else is asleep. Plus we really want to make sure we get RansomOff stable and fix the issues that people have been nice enough to bring to our attention.
     
  16. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    309
    Location:
    Bulgaria
    Does the MBR protection include also the VBR as well?
     
  17. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    388
    Location:
    Arlington, VA
    Not yet. The MBR protection is per physical disk. We have not extended it yet to individual partitions but are working on that.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I have never actually tested ransomware, so you're probably right. But based on what I've read, they do not always start encrypting straight away, isn't it true that most of them need outbound access and try to inject code (process hollowing)? If you block that, I believe the encryption doesn't even start, but I might be wrong. So then you do indeed need tools like RansomOff and RansomFree.
     
  19. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    309
    Location:
    Bulgaria
    Thank you for the reply and keep up the good work! :)
     
  20. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Rasheed- Ransomware may act by various mechanisms even within the same family. As a rule of thumb, those ransomware strains that come as Scriptors (JScript, VBS, etc) will need to connect to the internet to download and then run the actual encrypting payload. Some will come self-contained and will not need network access at all.

    As a theoretical example, just say you see a video published later today that has 9 ransomware files to be run. Although the tester may have not wanted to go into detail, only 5/9 actually had to download the payload from command. Further only 1 of 3 Cerbers acted via process hollowing as well as something like Matrix. Other types of malware will mimic stuff whose vector is maladvertising (like an hta), whereas other may need to act via an exploit like doc files. Lastly there are some ransomware strains that I personally term "Fast Encryptors" that will start to operate as soon as the file is activated. The purpose of ransomware like this being included in a test is to distinguish anti-ransomware products that hold files in abeyance before allowing them to proceed (thus stopping all file encryption) from products that will on act only when encryption process is detected. In the former case one will be totally protected; in the latter case some files (but not all) may be encrypted.

    So as you can see, ransomware is a very fertile ground of mechanisms, but the one thing to note- in most video reviews you may see that the tester chooses ransomware by name and not mechanism. This is a grave mistake as there are a bunch of script kiddie stuff that actually works by the exact same mechanism but will have differing ransom screens (popups) that will give the malware a name. So it's critical that one knows this as one may see 10 different names all being Brand new Same Old thing.

    On the other hand one may occasionally see a review done by a person both Brilliant and Beautiful where mechanisms are paramount and will highlight the various protection mechanisms afforded by a given product.

    Hope this overly long Post helped.

    M
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    OK thanks, so this is what HeiDef was talking about. If they immediately start to encrypt and don't have to perform other stuff then HIPS won't help if they haven't got protection against rapid file modification. So a tool like RansomOff will sure come in handy and also nice to see that the developer is trying to fix flaws and that you (CruelSister) are quite positive about it.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Speaking of Cerber, it's currently the most popular ransomware, here some more info:

    https://www.malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That was a good tip from Sophos. Change the default on what opens .js files to notepad and that is the end of that. Works.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    I been doing this since the last M$ Platform. Simple dimple as pie to shut off .js
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.