App Review A RansomOff Quickie

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94


Thanks again @cruelsister for identifying issues with RansomOff. We tried to re-create your test with the samples we could find based on the names in the video. Couldn't find a Pocrimcrypt sample and the RAA we found didn't seem to do anything other than open a Word doc but Revenge and CTBLocker helped to identify a few gaps in coverage that we now fixed.
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
I think I may see the issue between our findings. When I started to make videos, I made a decision to stay with the predominant Windows OS (currently 7) AND use the lowest common denominator version of it, that being 32 bit.

And I will bet that you used 64 bit (the uninstall process in 32 bit gives away an issue). If you wish to check, forget about the malware and just run Seamonkey (and should the Honeypots remain in this version?).

M
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
This is really odd, then (I'm using build 7576). Once again. not even considering malware, when Seamonkey is opened it will be held by RansomOff for about 30 seconds before the alert popup comes up. On uninstall there is a message within the uninstall box "there were errors removing all RamsomOff components". I tried this with both RansomOff on, and with RansomOff exited. By first exiting RansomOff, the uninstalling all goes fine; leaving RansomOff active and then going into the uninstall routine upon reboot Ransomoff is still active on the system.

If I have a chance this weekend I'll set up a new Win7 system and also try it on Win10. But for now, loft Party time...
 
  • Like
Reactions: Der.Reisende

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
The uninstall error message could be more descriptive. And there are two issues really.

First, if you try to uninstall with RansomOff running, the self protection features will prevent the uninstall program from removing the various files and registry entries associated with RansomOff. So it will throw that message.

If you uninstall with RansomOff closed, basically the drivers can't be removed from the stack until reboot. So the uninstall was technically successful in removing references to RansomOff even though the drivers will remain in memory until reboot. We'll work on making it more clear. Thanks for the tip.

After some more investigation it does look like SeaMonkey can still throw an alert. We'd be remiss to say that RansomOff will never cause a false positive. That's part of the reason we built in an exemption list. You make the point in your video about decreasing heuristics for "legitimate" software but the name of this whole game is trying to identify "legitimate" software vs malicious. What's really legit and what's not? If it was that easy then malware wouldn't be a problem. So we'll keep tweaking the detection heuristics to decrease any false positives but no algorithm will ever be perfect.
 
Last edited:

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Just to clarify the issues, please check your PM. Hope you like Michael Doucet.
 
  • Like
Reactions: Der.Reisende

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Just to clarify the issues, please check your PM. Hope you like Michael Doucet.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top