Trend Micro RansomBuster will stop Ransomware by protecting sensitive folders

Welcome @TrendMicro and thanks for the feedback on RansomBuster. I somewhat suspected it was a full anti-ransomware solution.

We are all presently awaiting our resident ransomware testor, @cruelsister, to test RansomBuster and see how effective it is.

 

I was just reading a recent review of the full Trend product at PC Mag and noticed this:

https://www.pcmag.com/article2/0,2817,2468796,00.asp

And RansomBuster does the same:

The folder name change is important and one to consider if using Win's Controlled Folders solution. Does it do likewise?

As far as AV Lab tests of Trend against ransomware, MRG's last 360 test rated it the same as Eset with both receiving a 2% failure rate. I assume MRG didn't factor in the recovery procedure for these failures or these samples totally bypassed it?

 

Just saw this comment posted on Windows Club:

 

Hi @itman,
We have a knowledge base article on this issue: https://esupport.trendmicro.com/en-...?vwd=KB-_-prd=TiHE-_-src=Banner-_-loc=Default
We have patched all existing user's with an update and have replaced all builds online with an update that addresses this issue.

Brook

 

Thanks for the info, so it's more advanced than I thought. I assume that it will even stop white-listed/trusted processes from encrypting files? And what flexibility does the platform provide, I still don't understand why it has to be this big, I mean it's not the full suite, right?

 

Brook- On the TM RansomBuster website it states: "RansomBuster provides protection against all forms of ransomware". Do you feel this may be a bit aggressively worded? It is, after all, a very diverse World...

Second- As any antiransomware product should afford protection against file encryption anywhere on the system, do you guys feel the two folder protection max meets this requirement?

Meghan

(ITMan- As I know that you (as I) have a fondness for ps scriptors, just wanted to let you know that RansomBuster has further utility outside of the ransomware area. For giggles I tried a few Powershell Info Stealer scripts and was happy to see the drops prevented. The detection of CreateProcessWithCommandLine was a surprise. Again, nothing to do with ransomware protection, but interesting nonetheless).

 

Now to those Mimikatz memory based attacks such as downloading Powershell and script to memory and executing it from there. Or again, Mimikatz memory based .Net execution of Powershell assemblies.

 

Hi Meghan,
We feel that RansomBuster showcases our ability to protect a user's most valuable data. Trend Micro has been protecting data for almost thirty years. Although we are not as well known as some other consumer security brands, we have some very effective technology that we leverage from our enterprise business in our consumer products. We have been keeping a close eye on all forms of ransomware and have released this free tool to help stop the bad guys from holding innocent people's precious memories or data hostage. We hope you will put it through your own tests and let us know what you think!

Best,
Brook

 

B- Thank you for your response! Indeed TM has a long and respected track record in the Enterprise arena, and any shortcomings that may be found in RansomBuster should be understood not to reflect poorly on either TM's Corporate or Home products.

I should have a video out this weekend (the Wilders TOS precludes a direct link to videos made by Riff-Raff).

M

 

It updated automatically upon bootup this morning.
Can't tell which version I was running, and what it's up to now since there is no "about" in the program. (neither on the tray icon right click)

 

What about my question?

Wow, nice find.

 

FYI - @cruelsister has done a test for RansomBuster and it is posted on her uTube web site. In summary, RB is not ready for "prime time" controlled folders protection. It does offer some ransomware protection but is deficient against the advanced stains. Also unless I missed something in the video, it does not provide default .exe lockdown against the protected folders by non-allowed processes?

@cruelsister I just wanted to give you kudos on the quality of your videos. The text explanations along with the deliberate slowness of the tests greatly add clarification to what the tests are doing.

 

Yes, I also have to say based on that video: it only allows up to two folders. If connection to its cloud is disrupted or broken, then you get considerably downgraded detections plus (big plus), other non-protected folders on the drive will naturally be encrypted--the CTBLocker being an example.

 

No. When the Internet connection was disconnected, CTB-Locker was able to encrypt the protected My Documents folder. If this solution employed "default deny" to a protected folder, that should not have happened.

 

Yes, even worse, the coup de grace @itman. As soon as I saw the other folders get encrypted regardless, I moved on--get something more comprehensive, for real. That video was an eye-opener.

 

I was also not impressed with RansomBuster, thanks for testing @ CS.

 

Is Malwarebytes Anti-Ransomware beta any better?

 

If you're looking for a free solution, you might want to check out RansomOff. There's a thread on it on Wilders. Also many Wilders folks seem fond of it.

 

TrendMicro Ransom Buster: Windows ransomware protection
https://www.ghacks.net/2018/01/15/trendmicro-ransom-buster-windows-ransomware-protection/