[Heilig Defense] RansomOff - The World's Most Advanced Anti-Ransomware Solution

[Evjl's Rain]

Really? I saw your reviews, i must have missed what did they miss, didn't see any missed ransomware. Thanks @Evjl's Rain !

you can watch my appcheck review here
only few samples were missed. I lost some files + you can see the wallpaper changed (cerber) from 4:15 and you can skip boring parts

Spoiler: appcheck

sorry ranstop didnt miss any in my previous test. I may have to retest it. I don't like 100% result: products may be lucky to get samples they can deal with. only 20 samples => a grain of salt

 

[Amelith Nargothrond]

from 4:15 and you can skip boring parts

Not boring, they are actually quite interesting to watch them in action

 

[Evjl's Rain]

Not boring, they are actually quite interesting to watch them in action

the hard question: is it better than appcheck free

 

[Amelith Nargothrond]

the hard question: is it better than appcheck free

We'll have to give both time i guess. If AppCheck finds out it has competition for both the free and the paid versions, and vice versa, they all will get better i'm sure

One thing i cannot agree with is marketing ahead of the actual product. "The World's Most Advanced Anti-Ransomware Solution."
It is not. No MBR protection and cannot recover files. It has no paid version, so that's it for now, but definitely not the most advanced of them all

 

[HeiDef]

not now but after 1 or 2 versions
I noticed a few problems with it:
- after the BSOD and reboot, it created so many empty files with various extensions (.doc, ppt, xls, txt,...) visible (not hidden) almost everywhere in the machine and could not be opened or deleted. It broke the functionality of many other applications, extremely annoying. I thought I got hit by ransomwares. After the second reboot, they were gone and things were normal again
- It conflicted with office 2007 portable and the ransomwares after the reboot => BSOD again (perhaps another reboot could have solved the problem but I didn't want to)
- The startup speed was very slow although it didn't impact the boot time. It just started itself slowly and consumed a little CPU and disk activity => vulnerable during this period

you can try it now but consider what I wrote here

Thanks @Evjl's Rain for the test and video. Good production!

Even though you don't currently recommend RansomOff due to some stability issues, we'll get those fixed and hopefully you'll change your mind.

Just a couple of notes.

First for memory usage, and this doesn't just apply to RansomOff, but for any application you are measuring memory usage for. The regular "Working Set" column is not an accurate representation of the actual memory used by the app. Working set is actually a shared memory region with other processes and the operating system. So it's a little misleading. A better representation is the private memory value which is more realistic value of what the app itself is using. Not sure which column you were looking at for the ~80MB but I'm guessing that's the regular shared working set value.

Don't judge the startup speed by when you see the icon in the system tray. RansomOff has a delay built it on load to wait for Explorer to fully load before adding the icon. The driver and service is loaded well before you see the icon. Why it is not catching things on boot up though is something we will explore. Can you provide me the hashes of the samples that loaded on boot?

We are working on the Office compatibility issue now as well. But did one of your test samples also cause a BSOD? I'm a little unclear from the video. If so, would you please also provide that hash so we can test to find out the cause? Thanks again.

 

[Evjl's Rain]

Thanks @Evjl's Rain for the test and video. Good production!

Even though you don't currently recommend RansomOff due to some stability issues, we'll get those fixed and hopefully you'll change your mind.

Just a couple of notes.

First for memory usage, and this doesn't just apply to RansomOff, but for any application you are measuring memory usage for. The regular "Working Set" column is not an accurate representation of the actual memory used by the app. Working set is actually a shared memory region with other processes and the operating system. So it's a little misleading. A better representation is the private memory value which is more realistic value of what the app itself is using. Not sure which column you were looking at for the ~80MB but I'm guessing that's the regular shared working set value.

Don't judge the startup speed by when you see the icon in the system tray. RansomOff has a delay built it on load to wait for Explorer to fully load before adding the icon. The driver and service is loaded well before you see the icon. Why it is not catching things on boot up though is something we will explore. Can you provide me the hashes of the samples that loaded on boot?

We are working on the Office compatibility issue now as well. But did one of your test samples also cause a BSOD? I'm a little unclear from the video. If so, would you please also provide that hash so we can test to find out the cause? Thanks again.

thank you for clarification
I counted the memory usage of the 2 processes ~39-40Mb = 80Mb. If I had counted private bytes, it was around 40-50Mb => OK. Sorry, I'm not a coder/developer, I don't know much
I was using Office 2007 portable (illegal) and RansomOff actually detected it once as ransomware before the VM froze and BSOD

There were 3 autorun entries I saw in Autoruns program so I'm not sure exactly which one caused BSOD
I can give the hash of 2 potential samples which caused BSOD (ransomware.exe and sure ransomware/screenlocker)

ransomware.exe
Antivirus scan for fb061305a6af048ecee60f8588c641cd18f9cc1975f96ef2d3b7666b5d5345ad at 2017-03-23 04:50:26 UTC - VirusTotal

sure ransomware
Antivirus scan for 9182432e60ea007cbfae7eed92082e7ef0f2d00674dfe1b2ad956f7c9d494adb at 2017-02-02 05:02:07 UTC - VirusTotal

after the reboot, I think ransomoff intercepted the malwares but also blocked something which caused BSOD, but no popup was seen. Exact same situation happened to Office 2007 portable (detected as ransomware with a popup => froze => BSOD)

if you can't find them I can send it to you, no problem

I'm looking forward to the later versions as this program is very good

I still have the snapshot of the tested VM. I may help

 

[Evjl's Rain]

by the way, I forgot to tell you that after the BSOD in the video. I rebooted the system and it got hit by sure ransomware (the screen was locked) and ransomware.exe (jigsaw with .fun extension)

that's why I thought ransomoff didn't fully run on boot

 

[HeiDef]

We'll have to give both time i guess. If AppCheck finds out it has competition for both the free and the paid versions, and vice versa, they all will get better i'm sure

One thing i cannot agree with is marketing ahead of the actual product. "The World's Most Advanced Anti-Ransomware Solution."
It is not. No MBR protection and cannot recover files. It has no paid version, so that's it for now, but definitely not the most advanced of them all

Rough crowd

We do have a paid version called Correlate. Correlate is our enterprise security solution and the anti-ransomware capabilities in Correlate were pulled from there to create RansomOff which we are offering for free. If having a paid version of something makes it more advanced then maybe we will look into charging for RansomOff at some point.

There is also obviously a disconnect between our understanding of "advanced." You're looking at it from the features of a product whereas we look at it from the implementation of the core technology that allows it to be so efficient and effective. It's kind of hard to make that differentiation in a slogan though.

As stated in an earlier post, file recovery will be an option in a future release. It's already in Correlate and we just haven't moved that over yet. And as for MBR protection, fair enough. It's such a rare threat but it seems to be the high bar on this site that it will probably be added to gain more points

 

[Amelith Nargothrond]

Rough crowd

We do have a paid version called Correlate. Correlate is our enterprise security solution and the anti-ransomware capabilities in Correlate were pulled from there to create RansomOff which we are offering for free. If having a paid version of something makes it more advanced then maybe we will look into charging for RansomOff at some point.

There is also obviously a disconnect between our understanding of "advanced." You're looking at it from the features of a product whereas we look at it from the implementation of the core technology that allows it to be so efficient and effective. It's kind of hard to make that differentiation in a slogan though.

As stated in an earlier post, file recovery will be an option in a future release. It's already in Correlate and we just haven't moved that over yet. And as for MBR protection, fair enough. It's such a rare threat but it seems to be the high bar on this site that it will probably be added to gain more points

"What doesn't kill you makes you stronger."
I do think and believe that a moderate amount of "rough", or criticism, is good and healthy (if based on real facts).

Here is my detailed personal judgement:

• I try to understand every inch in every marketing strategies and design i get in touch with. They all have the same purpose: sell (nothing's for free). They sell canned air in China (for breathing clean air); if i don't understand why it's free, for sure somebody knows what it will monetize
• every marketing strategy will have a very good reasoning in someone's mind
• in the software business, there are developers and there are users (and others); thinking like a developer in marketing is dangerous for the users, as they do not have the mindset of a developer and will never have; stating that a product is "most advanced", in the user's mind will translate to: i will get protected for sure because this is the best product in the world, because they say it is; it turns out there are issues with the "best product in the world", issues that can have a profound negative impact on the user; note that you had the same slogan when i quick-tested your product, and i didn't get the protection i expected
• Correlate is not advertised as an anti ransomware tool, but an anti malware tool, with many advanced protection techniques; but i haven't found the word "ransomware" anywhere on Correlate's website; i haven't looked in the white papers though; so the user (including me) will have absolutely no idea that Correlate will protect his assets from ransomware, that Correlate is a (much) extended version of RansomOff (btw, this is also news for me), and that he will get his files back after a ransomware attack (this is also new for me)
• i do not necessarily think that paid products are better (i do eventually, they have better support -> financial resources for this); i was referring to the fact that some features maybe are available in a paid version that will justify the "the most advanced" description -> which i did not find, as (again) Correlate is not advertised as a feature rich anti ransomware tool

I know how hard it is to get a driver signed, including the difficulties involved in getting a certificate to sign that driver (didn't verify it thoroughly, but it must be signed - i did have a lot of security stuff disabled on my test machine). So you are on the right track and i really hope that you will get where you would like to get. Your software has a great potential, i personally do not agree with some aspects of your marketing strategy, but that's just me, others may like it. I also hope you will have the necessary resources to keep it free.

Anyway, all my best wishes to you and your team, may ransomware die, i really had enough of them

 

[_CyberGhosT_]

We do have a paid version called Correlate

Hows about letting Evil test the Correlate version ?

 

[HeiDef]

I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff

 

[_CyberGhosT_]

I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff

Awesome Work !!
Don't ever loose the ability to accept constructive criticism or listen to your users ,
it's what sets "Great" companies apart for the average

 

[Amelith Nargothrond]

I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff

Very nice job @HeiDef , i'm glad i could help!

I just quick-tested the new RansomOff, i tried 2 samples, 1 that attacks the MBR and one that attacks the files.

Here are some details about the test:

• Environment: Win10 1607 x64 VM
• Samples: Petya, TeslaCrypt
• Results Petya: successfully blocked, the MBR was not tampered with
• Results TeslaCrypt: failed, all my files got encrypted
• TeslaCrypt sample: Antivirus scan for 5637c4cdbda24b23387e10830a88a3583dc0e7f31ac7a818f3457e3a5c3f9655 at 2016-10-18 00:21:55 UTC - VirusTotal
• I got no alerts for any of them
• I could not recover any of my files

Screen shots:

Spoiler

 

[HeiDef]

Very nice job @HeiDef , i'm glad i could help!

I just quick-tested the new RansomOff, i tried 2 samples, 1 that attacks the MBR and one that attacks the files.

Here are some details about the test:

• Environment: Windows 10 1607 x64 VM
• Samples: Petya, TeslaCrypt
• Results Petya: successfully blocked, the MBR was not tampered with
• Results TeslaCrypt: failed, all my files got encrypted
• TeslaCrypt sample: Antivirus scan for 5637c4cdbda24b23387e10830a88a3583dc0e7f31ac7a818f3457e3a5c3f9655 at 2016-10-18 00:21:55 UTC - VirusTotal
• I got no alerts for any of them
• I could not recover any of my files

Screen shots:

Spoiler

Thanks for the quick test.

I see that version of Tesla is digitally signed. Looks like that's throwing a wrench in the detection heuristics. A few tweaks and an update will be posted shortly. Thanks again.

 

[HeiDef]

We just posted version 5.2017.96.8750. Screen shots below are results of running the same TeslaCrypt that @Amelith Nargothrond ran. Anything else you can throw at it where RansomOff fails is great feedback so please keep it coming.

 

[Jogos]

If this software will be forever free... it will be wonderful.

 

[HeiDef]

If this software will be forever free... it will be wonderful.

We decided when we first released RansomOff that it will stay free for home and personal use and we don't intend to change that.

 

[Ink]

We just posted version 5.2017.96.8750. Screen shots below are results of running the same TeslaCrypt that @Amelith Nargothrond ran. Anything else you can throw at it where RansomOff fails is great feedback so please keep it coming.

If user clicks Allow, is there a warning to confirm?

 

[HeiDef]

If user clicks Allow, is there a warning to confirm?

Currently no but great suggestion. We have been thinking about making the 'Allow' button smaller which while wouldn't completely be the same effect would make accidental clicks less likely. But the warning would probably be a better way to go.

 

[Jogos]

We decided when we first released RansomOff that it will stay free for home and personal use and we don't intend to change that.

Awesome, i will use this software, this have big potential to be NO.1 in Anti-Ransomware sofware category.