HeiDef

From HeiDef
Developer
Verified
I'm the author of RansomOff so I just wanted to clear a few things up. Also I definitely appreciate the testing feedback good, bad or otherwise.

First as it has been shown, RansomOff is not designed to prevent MBR attacks. As it was pointed out, that's a different type of attack.

Second, this current version of RansomOff does not restore files however that feature will be in a future release. In our full fledged endpoint security product, Correlate, file restoration is available.

Third, RansomOff will not clean your system of any files or artifacts dropped by a piece of ransomware. If you click 'Deny' when you get an alert, RansomOff will terminate the process but won't clean up. If the cleanup is an important feature, it can definitely be added.

Fourth, a lot of ransomware is very buggy and by the way RansomOff interacts with it, there may be cases where you will not receive an alert but the ransomware will just hang. In that hung state, the ransomware isn't able to encrypt files and will require you to kill it via task manager.

Either way, good feedback and valuable information I can add to our site to help clear up any confusion.

@Captain Awesome - The sample you linked to is a downloader from what I can tell, not actual ransomware. RansomOff isn't protecting against regular Trojans.

@WinXPert - What dll's are you missing?

@Amelith - Can you provide some hashes of the sample you tested?
 

Amelith Nargothrond

Level 12
Verified
I'm the author of RansomOff so I just wanted to clear a few things up. Also I definitely appreciate the testing feedback good, bad or otherwise.

First as it has been shown, RansomOff is not designed to prevent MBR attacks. As it was pointed out, that's a different type of attack.

Second, this current version of RansomOff does not restore files however that feature will be in a future release. In our full fledged endpoint security product, Correlate, file restoration is available.

Third, RansomOff will not clean your system of any files or artifacts dropped by a piece of ransomware. If you click 'Deny' when you get an alert, RansomOff will terminate the process but won't clean up. If the cleanup is an important feature, it can definitely be added.

Fourth, a lot of ransomware is very buggy and by the way RansomOff interacts with it, there may be cases where you will not receive an alert but the ransomware will just hang. In that hung state, the ransomware isn't able to encrypt files and will require you to kill it via task manager.

Either way, good feedback and valuable information I can add to our site to help clear up any confusion.

@Captain Awesome - The sample you linked to is a downloader from what I can tell, not actual ransomware. RansomOff isn't protecting against regular Trojans.

@WinXPert - What dll's are you missing?

@Amelith - Can you provide some hashes of the sample you tested?

You can find all the samples i used in the MT vault (except one).
I can remember two of them exactly, but the Locky variant was in one of the malware packages and i really can't remember in which one.

The two i remember:
https://malwaretips.com/threads/star-trek-ransomware.69715/
https://malwaretips.com/threads/matrix-ransomware.69553/

Best of luck with RansomOFF! Maybe one day ransomware will disappear because of the efforts of so many people :)
 

HeiDef

From HeiDef
Developer
Verified
You can find all the samples i used in the MT vault (except one).
I can remember two of them exactly, but the Locky variant was in one of the malware packages and i really can't remember in which one.

The two i remember:
https://malwaretips.com/threads/star-trek-ransomware.69715/
https://malwaretips.com/threads/matrix-ransomware.69553/

Best of luck with RansomOFF! Maybe one day ransomware will disappear because of the efforts of so many people :)
Thanks!

And thanks for the reply. So the Star Trek sample is the same as the Kirk sample shown in our one video (Ransomware Rapid Fire). I also tested against the Matrix sample you reference and RansomOff stops it. But something that Matrix highlights though is that RansomOff, while it kills the offending process, doesn't terminate the whole process tree so it constantly tries to respawn. That'll definitely be added next release. I'm really most curious out the Virlock sample you said that RansomOff did nothing against. The samples I found at:

KernelMode.info • View topic - Win32/VirLock

were all stopped. Either way, RansomOff is currently Beta so there is room for improvement and will only get better thanks to feedback from people like you.
 

Amelith Nargothrond

Level 12
Verified
Thanks!

And thanks for the reply. So the Star Trek sample is the same as the Kirk sample shown in our one video (Ransomware Rapid Fire). I also tested against the Matrix sample you reference and RansomOff stops it. But something that Matrix highlights though is that RansomOff, while it kills the offending process, doesn't terminate the whole process tree so it constantly tries to respawn. That'll definitely be added next release. I'm really most curious out the Virlock sample you said that RansomOff did nothing against. The samples I found at:

KernelMode.info • View topic - Win32/VirLock

were all stopped. Either way, RansomOff is currently Beta so there is room for improvement and will only get better thanks to feedback from people like you.
Well, i said it encrypted some of my files but not all in the case of Matrix, Locky and Start Trek. I'm sure they wouldn't skip encrypting the rest if they would not be stopped, and i had only RansomOFF running on that PC, so must have been RansomOFF, though i had no alerts (like the one i had after the restart).

I forgot about virlock, sorry, i had the sample from @Evjl's Rain in my mind, havoc, which btw was blocked almost instantly.
In my case, with virlock, i ended up with executables instead of my files. All of them. Maybe the issue was running them one after another? Not at the same time was my purpose, although, because i had no alerts i cannot be sure when the previous ones were stopped. I assumed they were stopped since i did not see any other files getting encrypted from the folders i checked.

Regarding the sample, kernelmodeinfo is exactly the place where i got it from.
 
  • Like
Reactions: Evjl's Rain

Amelith Nargothrond

Level 12
Verified
Keep in mind that i restarted the machine after the installation of RansomOFF and started running the samples afterwards (Windows 10 x64 1607)
 

Windows_Security

Level 22
Content Creator
Trusted
Verified
[Quote = "harborfront, post: 612.758, člen: 55987"] Díky za odpověď. Myslíte si, že stačí otestovat aspekt MBR s několika ransomware a zjistit, zda to funguje tedy odstranit MBRFilter a SD dočasně? To bude užitečné

BTW, to přichází s funkcí obnovení souborů?

Ještě jednou díky [/ quote]
If you use vmware so you can determine the test I use only SD for quick tests.
upload_2017-3-27_23-40-41.png


Does not protect the MBT and has no backup/file recovery see post #43
 
Last edited:

HeiDef

From HeiDef
Developer
Verified
Thanks for the heads up.

So if you have .NET 4.5.2 installed that means you are running at least Windows 7 SP1 right?

The installer should of installed them but if not, do you have the VC++ redistributable runtimes installed? RansomOff requires the 2015 and 2012 versions. You can find them here.

https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads

There are also a number of articles that point to possible permission errors.

ERROR 1723. windows installer package problem, missing some dll files

Ah the joys of debugging MSI issues. I'll run some tests to try and figure this out in the meantime.
 

HarborFront

Level 45
Content Creator
Verified
Hi @HiDef

Can I check whether your software has self protection features built in against malware attack?

Thanks
 

WinXPert

Level 24
Trusted
Malware Hunter
Verified
@WinXPert - What dll's are you missing?
There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.

Same error message even with EAM off.
 

HeiDef

From HeiDef
Developer
Verified
So is disabling of self-protection meant for uninstalling of the software? If not, then for what reason(s) to disable it?

Thanks again
User convenience and preference more than anything. There are users that do not like being blocked from directories or registry keys so it's to allow that control if wanted.

Uninstalling is done like any regular application as long as RansomOff has already been shut down.
 

HeiDef

From HeiDef
Developer
Verified
There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.

Same error message even with EAM off.
Thanks. Still working on trying to figure that one out. Seems to be a Windows 7 issue but I haven't been able to reproduce it yet on any of my test machines or VMs.
 

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
hello @HeiDef
I still have the problem. I read the microsoft support page but the solution didn't work
I installed .NET 4.5.2 (4.5.51209...) + 4.6.1
Visual C++ 2008, 2012 and 2015
Windows 7 x86 SP1
the problem is, there is no error number so I cannot identify the exact error to search for
my VM only has 3Gb of RAM, I don't want to install windows 10 or test it in my host machine
Windows 7-2017-03-28-10-24-47.png
 

HeiDef

From HeiDef
Developer
Verified
hello @HeiDef
I still have the problem. I read the microsoft support page but the solution didn't work
I installed .NET 4.5.2 (4.5.51209...) + 4.6.1
Visual C++ 2008, 2012 and 2015
Windows 7 x86 SP1
the problem is, there is no error number so I cannot identify the exact error to search for
my VM only has 3Gb of RAM, I don't want to install windows 10 or test it in my host machine
View attachment 144534
Thanks @Evjl's Rain. We'll be rebuilding the MSI's later today with an updated RansomOff version so hopefully once rebuilt it'll fix the installation errors.