RansomOff

Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,069
    Well when I see the new release I will give it a go.
     
  2. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    Hey @imuade

    The website has a list of features (https://www.ransomoff.com). The next release has a few new features so we'll update website once it is released.. And the plan is to keep the home, non-commercial version free.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,500
    Location:
    U.S.A. (South)
    This is quite a statement in a field full of all sorts of promised solutions FOR A FEE etc. and while some offer them promising the moon this one Ransom0ff, really delivers the goods. err, protections.

    And FOR NO FEE.

    Keep it coming Helig Defense.
     
  4. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    370
    Location:
    Italy
    Ah, OK, I missed that when I visited your website :)
    Very nice indeed, especially since you wanna keep it free :)
    As soon as the stable version is out, I'll give it a try for sure :thumb:
     
  5. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    815
    Location:
    UK
    Great news - I too will give this a try when the new version becomes available, and see how it plays with ZAM and Vodooshield.
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,179
    Location:
    Paris
    Just curious- In the new version under System process protection would this include notification if a file attempts to change the RAS (Remote Access Control) services from default to automatic?

    Such a change can result in Tears (not that a Kind and Gentle person like myself knows anything about it).
     
  7. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    Had to go look at the code to verify but currently it doesn't alert on changes to service attributes other than imagepath. It'd be a pretty simple change to bring the full services key under protection though.
     
  8. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,179
    Location:
    Paris
    If simple (and I have no clue about that), it would be an excellent addition as no current product would alert to a true Zero Day high quality RAT that activates via the changes in RAS.

    I can see the video now- "Ransomoff tells formerly undetectable RAT to Eat It" (or something similar).
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,500
    Location:
    U.S.A. (South)
    Excellent idea in keeping with the added preventions too. Looking forward to it.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,286
    Location:
    The etherlands
    :D. Dave, something tells me you are onto a good thing and Meghan likes this software.
     
  11. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,179
    Location:
    Paris
    Paul- I just love how RansomOff deals with those samples that put loads of Text files, jpg's, etc on the system prior to the encryption process. Once RO kills the malware it vacuums up all of the trash files during the CleanUp function. Poof! Gone!

    It never gets old!!!

    (Oh God I think I'm a Geek...)
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,069
    I've been playing around with RO, an it doing a good job. One thing I'd like to see is it handle script files as well as exe's So far I am impressed.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,500
    Location:
    U.S.A. (South)
    I think for me that is one of the more fascinating and dynamics action I like most. I come to expect it, always.

    That little tray icon goes into motion totally reversing the dickens out of the junk it dropped. Completely!
     
  14. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    Thanks. But handle scripts in what way? RO is already able to deal with script based ransomware. @cruelsister used a script sample in one of her vids a bit back.
     
  15. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    No worries. I think we all are.
     
  16. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    In addition to the UI redesign, we changed the icon and logo of RO (as can be seen in the video). Unfortunately we don't have an animated task bar icon replacement yet so maybe we'll just keep the current animation in for the time being.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,069
    The Applocker acts like a traditional Anti Executable, and one of them white lists scripts. That's kinda what I had in mind
     
  18. HeiDef

    HeiDef Developer

    Joined:
    Apr 6, 2017
    Posts:
    238
    Location:
    Philadelphia
    That makes sense. In the App Locker case, you're right that scripts themselves are not alerted to but the scripting engines (powershell, wscript, etc) are. Breaking it out as a separate alert is doable though. Thanks for the feedback and glad to finally get you onboard ;)
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,069
    ROFL. You sucked me in. In a good way off course.
     
  20. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,790
    Location:
    Mexico
    :argh:
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,500
    Location:
    U.S.A. (South)
    No matter really HeiDef.

    The underpinnings of the operational functions still work dynamically and quite effectively.

    FWIW, I always have had a small abandonware named filechangealarm and it logs as well as sounds off an audio (of a users choosing) and it picks up Ransom0ff In-Progress as it cuts the cord of the offending dropper/executable/changes and wet-dry vacs the surface area of leftover junk leaving nothing behind but a normal return to usual PC functions WITHOUT interruptions.
     
    Last edited: Oct 13, 2017 at 10:02 PM
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,582
    Location:
    The Netherlands
    Thanks for the feedback. It is mentioned in the report that RansomFlare is also looking at known malicious behavior that all ransomware trigger, so that should block most variants, I believe RansomOff is doing the same.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,286
    Location:
    The etherlands
    But wait, there's more ... ! :D

    Having the privilege of some compatibility testing the latest version, with HIPS-Lite (and new GUI). Sure is looking good, and stable for me now, after some crashes due to co-existing with some uncommon softs on that machine.

    Hopefully should be released soon.

    Kudos to Dave and team. :thumb:

    Edit: Having an oopsie with App Lockdown, but I'm sure we'll sort it out.
     
    Last edited: Oct 17, 2017 at 1:53 AM
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,179
    Location:
    Paris
    Although I haven't had much time, I did play a bit with RO5 Build 7816 RC1. Especially I was curious how it would do against the Nation State RAT that had gone undetectable for years prior to someone stumbling upon it. I tested RO against the original malware as well as a number of variants, and in all cases was the mechanism detected and blocked. Please understand that this is no trivial result, but actually a detection that had previously bypassed the Best of the Best.

    Second- I must confess that when I heard "HIPS" I thought instead of "FP". I was surprised that my set of stuff that normally cause (and have for RO in the past) HIPS to generate a FP no longer did so.

    So my take so far (in the vernacular): Dave- U guys dun gud.

    M
     
    Last edited: Oct 16, 2017 at 11:53 PM
  25. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,446
    Location:
    South Wales, UK
    Further to what Peter said, likewise for me...just waiting for the new release...to give it a detailed spin...in fact...can't wait.

    Regards, Baldrick :thumb::D