- Mar 22, 2017
- 587
Ran it again, this time i allowed it to run. It created some garbage on my desktop, but it doesn't look it is encrypting. The process is running though.
[Heilig Defense] RansomOff - The World's Most Advanced Anti-Ransomware Solution
- Thread starter Evjl's Rain
- Start date
- Mar 22, 2017
- 587
Another update: restarted the PC and ran havoc again. This time i got no alert from RansomOFF. The process is NOT in the "Exemptions" list of RansomOFF. Havoc is running but still doesn't look like it's encrypting.
- Mar 27, 2017
- 94
I'm the author of RansomOff so I just wanted to clear a few things up. Also I definitely appreciate the testing feedback good, bad or otherwise.
First as it has been shown, RansomOff is not designed to prevent MBR attacks. As it was pointed out, that's a different type of attack.
Second, this current version of RansomOff does not restore files however that feature will be in a future release. In our full fledged endpoint security product, Correlate, file restoration is available.
Third, RansomOff will not clean your system of any files or artifacts dropped by a piece of ransomware. If you click 'Deny' when you get an alert, RansomOff will terminate the process but won't clean up. If the cleanup is an important feature, it can definitely be added.
Fourth, a lot of ransomware is very buggy and by the way RansomOff interacts with it, there may be cases where you will not receive an alert but the ransomware will just hang. In that hung state, the ransomware isn't able to encrypt files and will require you to kill it via task manager.
Either way, good feedback and valuable information I can add to our site to help clear up any confusion.
@Captain Awesome - The sample you linked to is a downloader from what I can tell, not actual ransomware. RansomOff isn't protecting against regular Trojans.
@WinXPert - What dll's are you missing?
@Amelith - Can you provide some hashes of the sample you tested?
First as it has been shown, RansomOff is not designed to prevent MBR attacks. As it was pointed out, that's a different type of attack.
Second, this current version of RansomOff does not restore files however that feature will be in a future release. In our full fledged endpoint security product, Correlate, file restoration is available.
Third, RansomOff will not clean your system of any files or artifacts dropped by a piece of ransomware. If you click 'Deny' when you get an alert, RansomOff will terminate the process but won't clean up. If the cleanup is an important feature, it can definitely be added.
Fourth, a lot of ransomware is very buggy and by the way RansomOff interacts with it, there may be cases where you will not receive an alert but the ransomware will just hang. In that hung state, the ransomware isn't able to encrypt files and will require you to kill it via task manager.
Either way, good feedback and valuable information I can add to our site to help clear up any confusion.
@Captain Awesome - The sample you linked to is a downloader from what I can tell, not actual ransomware. RansomOff isn't protecting against regular Trojans.
@WinXPert - What dll's are you missing?
@Amelith - Can you provide some hashes of the sample you tested?
- Mar 22, 2017
- 587
You can find all the samples i used in the MT vault (except one).
I can remember two of them exactly, but the Locky variant was in one of the malware packages and i really can't remember in which one.
The two i remember:
https://malwaretips.com/threads/star-trek-ransomware.69715/
https://malwaretips.com/threads/matrix-ransomware.69553/
Best of luck with RansomOFF! Maybe one day ransomware will disappear because of the efforts of so many people
- Mar 27, 2017
- 94
You can find all the samples i used in the MT vault (except one).
I can remember two of them exactly, but the Locky variant was in one of the malware packages and i really can't remember in which one.
The two i remember:
https://malwaretips.com/threads/star-trek-ransomware.69715/
https://malwaretips.com/threads/matrix-ransomware.69553/
Best of luck with RansomOFF! Maybe one day ransomware will disappear because of the efforts of so many people
Thanks!
And thanks for the reply. So the Star Trek sample is the same as the Kirk sample shown in our one video (Ransomware Rapid Fire). I also tested against the Matrix sample you reference and RansomOff stops it. But something that Matrix highlights though is that RansomOff, while it kills the offending process, doesn't terminate the whole process tree so it constantly tries to respawn. That'll definitely be added next release. I'm really most curious out the Virlock sample you said that RansomOff did nothing against. The samples I found at:
KernelMode.info • View topic - Win32/VirLock
were all stopped. Either way, RansomOff is currently Beta so there is room for improvement and will only get better thanks to feedback from people like you.
- Mar 22, 2017
- 587
Well, i said it encrypted some of my files but not all in the case of Matrix, Locky and Start Trek. I'm sure they wouldn't skip encrypting the rest if they would not be stopped, and i had only RansomOFF running on that PC, so must have been RansomOFF, though i had no alerts (like the one i had after the restart).
I forgot about virlock, sorry, i had the sample from @Evjl's Rain in my mind, havoc, which btw was blocked almost instantly.
In my case, with virlock, i ended up with executables instead of my files. All of them. Maybe the issue was running them one after another? Not at the same time was my purpose, although, because i had no alerts i cannot be sure when the previous ones were stopped. I assumed they were stopped since i did not see any other files getting encrypted from the folders i checked.
Regarding the sample, kernelmodeinfo is exactly the place where i got it from.
- Mar 22, 2017
- 587
Keep in mind that i restarted the machine after the installation of RansomOFF and started running the samples afterwards (Windows 10 x64 1607)
@HeiDef hi I cannot install ransomoff on my windows 7 x86 VM
.NET framwork 4.5.2 was installed
missing DLL
.NET framwork 4.5.2 was installed
missing DLL
- Mar 13, 2016
- 1,298
Last edited:
- Mar 13, 2016
- 1,298
- Mar 27, 2017
- 94
Thanks for the heads up.
So if you have .NET 4.5.2 installed that means you are running at least Win7 SP1 right?
The installer should of installed them but if not, do you have the VC++ redistributable runtimes installed? RansomOff requires the 2015 and 2012 versions. You can find them here.
https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads
There are also a number of articles that point to possible permission errors.
ERROR 1723. windows installer package problem, missing some dll files
Ah the joys of debugging MSI issues. I'll run some tests to try and figure this out in the meantime.
So if you have .NET 4.5.2 installed that means you are running at least Win7 SP1 right?
The installer should of installed them but if not, do you have the VC++ redistributable runtimes installed? RansomOff requires the 2015 and 2012 versions. You can find them here.
https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads
There are also a number of articles that point to possible permission errors.
ERROR 1723. windows installer package problem, missing some dll files
Ah the joys of debugging MSI issues. I'll run some tests to try and figure this out in the meantime.
Hi @HiDef
Can I check whether your software has self protection features built in against malware attack?
Thanks
Can I check whether your software has self protection features built in against malware attack?
Thanks
- Mar 27, 2017
- 94
It does yes. You can also disable the self-protection if you'd like though.
So is disabling of self-protection meant for uninstalling of the software? If not, then for what reason(s) to disable it?
Thanks again
- Jan 9, 2013
- 1,457
There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.
Same error message even with EAM off.
- Mar 27, 2017
- 94
User convenience and preference more than anything. There are users that do not like being blocked from directories or registry keys so it's to allow that control if wanted.
Uninstalling is done like any regular application as long as RansomOff has already been shut down.
- Mar 27, 2017
- 94
Thanks. Still working on trying to figure that one out. Seems to be a Win7 issue but I haven't been able to reproduce it yet on any of my test machines or VMs.
- Jan 9, 2013
- 1,457
Could it be a VC++ 2015 issue. I can't install it in this PC.
hello @HeiDef
I still have the problem. I read the microsoft support page but the solution didn't work
I installed .NET 4.5.2 (4.5.51209...) + 4.6.1
Visual C++ 2008, 2012 and 2015
Windows 7 x86 SP1
the problem is, there is no error number so I cannot identify the exact error to search for
my VM only has 3Gb of RAM, I don't want to install windows 10 or test it in my host machine
I still have the problem. I read the microsoft support page but the solution didn't work
I installed .NET 4.5.2 (4.5.51209...) + 4.6.1
Visual C++ 2008, 2012 and 2015
Windows 7 x86 SP1
the problem is, there is no error number so I cannot identify the exact error to search for
my VM only has 3Gb of RAM, I don't want to install windows 10 or test it in my host machine
- Mar 27, 2017
- 94
Thanks @Evjl's Rain. We'll be rebuilding the MSI's later today with an updated RansomOff version so hopefully once rebuilt it'll fix the installation errors.
Similar threads
