HeiDef

From HeiDef
Developer
Verified
Thanks everyone for the patience. We found an issue with the 32-bit MSI installer and it took a little longer than expected to fix it. But we just updated the website (Heilig Defense Correlate RansomOff) with the new version. We also added a few new features based on some of the initial feedback to include an attempt to clean up any artifacts dropped by the ransomware as well as doing a better job of terminating the full process tree.

For those of you testing on a Windows 7 system, please make sure you have KB3033929 installed. That's what allows for drivers signed with SHA-256 to load. Thanks again and looking forward to hearing any feedback.
 

Captain Awesome

Level 21
Tester
Verified
Thanks everyone for the patience. We found an issue with the 32-bit MSI installer and it took a little longer than expected to fix it. But we just updated the website (Heilig Defense Correlate RansomOff) with the new version. We also added a few new features based on some of the initial feedback to include an attempt to clean up any artifacts dropped by the ransomware as well as doing a better job of terminating the full process tree.

For those of you testing on a Windows 7 system, please make sure you have KB3033929 installed. That's what allows for drivers signed with SHA-256 to load. Thanks again and looking forward to hearing any feedback.
Looking forward to test it.One question about MBR ransomware protection of RansomOff.Is RansomOff protected by this type of ransomwares?
 
Last edited:
  • Like
Reactions: sunshineboy

HeiDef

From HeiDef
Developer
Verified
Looking forward to test it.One question about MBR ransomware protection of RansomOff.Is RansomOff protected by this type of ransomwares?
RansomOff does not protect against MBR ransomware. Maybe a future release will have that added but MBR ransomware is relatively rare compared to regular ransomware and we want to get that right first before working on a different problem set.
 

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
Do you recommend this anti-ransomware protection?
not now but after 1 or 2 versions
I noticed a few problems with it:
- after the BSOD and reboot, it created so many empty files with various extensions (.doc, ppt, xls, txt,...) visible (not hidden) almost everywhere in the machine and could not be opened or deleted. It broke the functionality of many other applications, extremely annoying. I thought I got hit by ransomwares. After the second reboot, they were gone and things were normal again
- It conflicted with office 2007 portable and the ransomwares after the reboot => BSOD again (perhaps another reboot could have solved the problem but I didn't want to)
- The startup speed was very slow although it didn't impact the boot time. It just started itself slowly and consumed a little CPU and disk activity => vulnerable during this period

you can try it now but consider what I wrote here :p
 
Last edited:

Amelith Nargothrond

Level 12
Verified
not now but after 1 or 2 versions
I noticed a few problems with it:
- after the BSOD and reboot, it created so many empty files with various extensions (.doc, ppt, xls, txt,...) visible (not hidden) almost everywhere in the machine and could not be opened or deleted. It broke the functionality of many other applications, exetremely annoying. I thought I got hit by ransomwares. After the second reboot, they were gone and things were normal again
- It conflicted with office 2007 portable and the after the ransomwares after the reboot => BSOD again (perhaps another reboot could have solved the problem but I didn't want to)
- The startup speed was very slow although it didn't impact the boot time. It just started itself slowly and consumed a little CPU and disk activity => vulnerable during this period

you can try it now but consider what I wrote here :p
Isn't it killing some system processes that got injected by the ransomware? I would prefer that rather to lose my files.
 
  • Like
Reactions: Handsome Recluse

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
Isn't it killing some system processes that got injected by the ransomware? I would prefer that rather to lose my files.
it did kill some processes but not all of them. Some were still running and some duplicated themselves in different folder and set autorun entries to start on boot

I saw 1 sample blocked by RansomOff but it was running on boot and infected the VM. It had to get rid of it before restarting the video. I forgot to write it down on the text. People don't like read too much
 

Amelith Nargothrond

Level 12
Verified
it did kill some processes but not all of them. Some were still running and some duplicated themselves in different folder and set autorun entries to start on boot

I saw 1 sample blocked by RansomOff but it was running on boot and infected the VM. It had to get rid of it before restarting the video. I forgot to write it down on the text. People don't like read too much
Strange, my results were pretty bad, yours are pretty good. I didn't had any BSOD (except from petya), but you had many.
 
  • Like
Reactions: Handsome Recluse

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
Strange, my results were pretty bad, yours are pretty good. I didn't had any BSOD (except from petya), but you had many.
I think they improved something in this version so it is better
I'm using windows 7 x86 so the result may be different from yours. Petya causes BSOD itself so it's not BSOD :D
I used Office 2017 portable and you don't use so it was my fault
 

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
Better than most free ones, right? Appcheck and Ranstop both have MBR protection and also recover files.
yes better than most free ARs. RansomOff missed nothing in my test while it was running but failed when it was not up
I may have to test more samples like what I did before so the result would be more reliable

appcheck and ranstop missed a few or blocked but some files were deleted
 

Amelith Nargothrond

Level 12
Verified
yes better than most free ARs. RansomOff missed nothing in my test while it was running but failed when it was not up
I may have to test more samples like what I did before so the result would be more reliable

appcheck and ranstop missed a few or blocked but some files were deleted
Really? I saw your reviews, i must have missed what did they miss, didn't see any missed ransomware. Thanks @Evjl's Rain !
 
  • Like
Reactions: Evjl's Rain