[Heilig Defense] RansomOff - The World's Most Advanced Anti-Ransomware Solution

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Really? I saw your reviews, i must have missed what did they miss, didn't see any missed ransomware. Thanks @Evjl's Rain !
you can watch my appcheck review here
only few samples were missed. I lost some files + you can see the wallpaper changed (cerber) from 4:15 and you can skip boring parts


sorry ranstop didnt miss any in my previous test. I may have to retest it. I don't like 100% result: products may be lucky to get samples they can deal with. only 20 samples => a grain of salt
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
the hard question: is it better than appcheck free :rolleyes:

We'll have to give both time i guess. If AppCheck finds out it has competition for both the free and the paid versions, and vice versa, they all will get better i'm sure :)

One thing i cannot agree with is marketing ahead of the actual product. "The World's Most Advanced Anti-Ransomware Solution."
It is not. No MBR protection and cannot recover files. It has no paid version, so that's it for now, but definitely not the most advanced of them all :)
 
Last edited:
  • Like
Reactions: Evjl's Rain

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
not now but after 1 or 2 versions
I noticed a few problems with it:
- after the BSOD and reboot, it created so many empty files with various extensions (.doc, ppt, xls, txt,...) visible (not hidden) almost everywhere in the machine and could not be opened or deleted. It broke the functionality of many other applications, extremely annoying. I thought I got hit by ransomwares. After the second reboot, they were gone and things were normal again
- It conflicted with office 2007 portable and the ransomwares after the reboot => BSOD again (perhaps another reboot could have solved the problem but I didn't want to)
- The startup speed was very slow although it didn't impact the boot time. It just started itself slowly and consumed a little CPU and disk activity => vulnerable during this period

you can try it now but consider what I wrote here :p


Thanks @Evjl's Rain for the test and video. Good production!

Even though you don't currently recommend RansomOff due to some stability issues, we'll get those fixed and hopefully you'll change your mind.

Just a couple of notes.

First for memory usage, and this doesn't just apply to RansomOff, but for any application you are measuring memory usage for. The regular "Working Set" column is not an accurate representation of the actual memory used by the app. Working set is actually a shared memory region with other processes and the operating system. So it's a little misleading. A better representation is the private memory value which is more realistic value of what the app itself is using. Not sure which column you were looking at for the ~80MB but I'm guessing that's the regular shared working set value.

Don't judge the startup speed by when you see the icon in the system tray. RansomOff has a delay built it on load to wait for Explorer to fully load before adding the icon. The driver and service is loaded well before you see the icon. Why it is not catching things on boot up though is something we will explore. Can you provide me the hashes of the samples that loaded on boot?

We are working on the Office compatibility issue now as well. But did one of your test samples also cause a BSOD? I'm a little unclear from the video. If so, would you please also provide that hash so we can test to find out the cause? Thanks again.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Thanks @Evjl's Rain for the test and video. Good production!

Even though you don't currently recommend RansomOff due to some stability issues, we'll get those fixed and hopefully you'll change your mind.

Just a couple of notes.

First for memory usage, and this doesn't just apply to RansomOff, but for any application you are measuring memory usage for. The regular "Working Set" column is not an accurate representation of the actual memory used by the app. Working set is actually a shared memory region with other processes and the operating system. So it's a little misleading. A better representation is the private memory value which is more realistic value of what the app itself is using. Not sure which column you were looking at for the ~80MB but I'm guessing that's the regular shared working set value.

Don't judge the startup speed by when you see the icon in the system tray. RansomOff has a delay built it on load to wait for Explorer to fully load before adding the icon. The driver and service is loaded well before you see the icon. Why it is not catching things on boot up though is something we will explore. Can you provide me the hashes of the samples that loaded on boot?

We are working on the Office compatibility issue now as well. But did one of your test samples also cause a BSOD? I'm a little unclear from the video. If so, would you please also provide that hash so we can test to find out the cause? Thanks again.
thank you for clarification :)
I counted the memory usage of the 2 processes ~39-40Mb = 80Mb. If I had counted private bytes, it was around 40-50Mb => OK. Sorry, I'm not a coder/developer, I don't know much :)
I was using Office 2007 portable (illegal) and RansomOff actually detected it once as ransomware before the VM froze and BSOD

There were 3 autorun entries I saw in Autoruns program so I'm not sure exactly which one caused BSOD
I can give the hash of 2 potential samples which caused BSOD (ransomware.exe and sure ransomware/screenlocker)

ransomware.exe
Antivirus scan for fb061305a6af048ecee60f8588c641cd18f9cc1975f96ef2d3b7666b5d5345ad at 2017-03-23 04:50:26 UTC - VirusTotal

sure ransomware
Antivirus scan for 9182432e60ea007cbfae7eed92082e7ef0f2d00674dfe1b2ad956f7c9d494adb at 2017-02-02 05:02:07 UTC - VirusTotal

after the reboot, I think ransomoff intercepted the malwares but also blocked something which caused BSOD, but no popup was seen. Exact same situation happened to Office 2007 portable (detected as ransomware with a popup => froze => BSOD)

if you can't find them I can send it to you, no problem

I'm looking forward to the later versions as this program is very good :)

I still have the snapshot of the tested VM. I may help
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
by the way, I forgot to tell you that after the BSOD in the video. I rebooted the system and it got hit by sure ransomware (the screen was locked) and ransomware.exe (jigsaw with .fun extension)

that's why I thought ransomoff didn't fully run on boot
 

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
We'll have to give both time i guess. If AppCheck finds out it has competition for both the free and the paid versions, and vice versa, they all will get better i'm sure :)

One thing i cannot agree with is marketing ahead of the actual product. "The World's Most Advanced Anti-Ransomware Solution."
It is not. No MBR protection and cannot recover files. It has no paid version, so that's it for now, but definitely not the most advanced of them all :)

Rough crowd :)

We do have a paid version called Correlate. Correlate is our enterprise security solution and the anti-ransomware capabilities in Correlate were pulled from there to create RansomOff which we are offering for free. If having a paid version of something makes it more advanced then maybe we will look into charging for RansomOff at some point.

There is also obviously a disconnect between our understanding of "advanced." You're looking at it from the features of a product whereas we look at it from the implementation of the core technology that allows it to be so efficient and effective. It's kind of hard to make that differentiation in a slogan though.

As stated in an earlier post, file recovery will be an option in a future release. It's already in Correlate and we just haven't moved that over yet. And as for MBR protection, fair enough. It's such a rare threat but it seems to be the high bar on this site that it will probably be added to gain more points :)
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Rough crowd :)

We do have a paid version called Correlate. Correlate is our enterprise security solution and the anti-ransomware capabilities in Correlate were pulled from there to create RansomOff which we are offering for free. If having a paid version of something makes it more advanced then maybe we will look into charging for RansomOff at some point.

There is also obviously a disconnect between our understanding of "advanced." You're looking at it from the features of a product whereas we look at it from the implementation of the core technology that allows it to be so efficient and effective. It's kind of hard to make that differentiation in a slogan though.

As stated in an earlier post, file recovery will be an option in a future release. It's already in Correlate and we just haven't moved that over yet. And as for MBR protection, fair enough. It's such a rare threat but it seems to be the high bar on this site that it will probably be added to gain more points :)

"What doesn't kill you makes you stronger."
I do think and believe that a moderate amount of "rough", or criticism, is good and healthy (if based on real facts).

Here is my detailed personal judgement:
  • I try to understand every inch in every marketing strategies and design i get in touch with. They all have the same purpose: sell (nothing's for free). They sell canned air in China (for breathing clean air); if i don't understand why it's free, for sure somebody knows what it will monetize
  • every marketing strategy will have a very good reasoning in someone's mind
  • in the software business, there are developers and there are users (and others); thinking like a developer in marketing is dangerous for the users, as they do not have the mindset of a developer and will never have; stating that a product is "most advanced", in the user's mind will translate to: i will get protected for sure because this is the best product in the world, because they say it is; it turns out there are issues with the "best product in the world", issues that can have a profound negative impact on the user; note that you had the same slogan when i quick-tested your product, and i didn't get the protection i expected
  • Correlate is not advertised as an anti ransomware tool, but an anti malware tool, with many advanced protection techniques; but i haven't found the word "ransomware" anywhere on Correlate's website; i haven't looked in the white papers though; so the user (including me) will have absolutely no idea that Correlate will protect his assets from ransomware, that Correlate is a (much) extended version of RansomOff (btw, this is also news for me), and that he will get his files back after a ransomware attack (this is also new for me)
  • i do not necessarily think that paid products are better (i do eventually, they have better support -> financial resources for this); i was referring to the fact that some features maybe are available in a paid version that will justify the "the most advanced" description -> which i did not find, as (again) Correlate is not advertised as a feature rich anti ransomware tool
I know how hard it is to get a driver signed, including the difficulties involved in getting a certificate to sign that driver (didn't verify it thoroughly, but it must be signed - i did have a lot of security stuff disabled on my test machine). So you are on the right track and i really hope that you will get where you would like to get. Your software has a great potential, i personally do not agree with some aspects of your marketing strategy, but that's just me, others may like it. I also hope you will have the necessary resources to keep it free.

Anyway, all my best wishes to you and your team, may ransomware die, i really had enough of them :)
 

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff
Awesome Work !!
Don't ever loose the ability to accept constructive criticism or listen to your users ,
it's what sets "Great" companies apart for the average ;)
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
I want to thank @Evjl's Rain, @Amelith Nargothrond and @sunshineboy for the feedback that helped with this new release.

We just posted a RansomOff update that has many new features including ***MBR protection*** and file restoration capabilities. We also fixed a number of bugs and stability issues (all the one that @Evjl's Rain identified plus others) along with some interface and installer changes.

You can find the new update at Heilig Defense RansomOff

Very nice job @HeiDef , i'm glad i could help!

I just quick-tested the new RansomOff, i tried 2 samples, 1 that attacks the MBR and one that attacks the files.

Here are some details about the test:
Screen shots:

dab46c7a7ea141f5a2464d591b22a3a7.png


4e5ff58f2ef64345b04ef321366d61a3.png
 

HeiDef

From HeiDef
Verified
Developer
Mar 27, 2017
94
Very nice job @HeiDef , i'm glad i could help!

I just quick-tested the new RansomOff, i tried 2 samples, 1 that attacks the MBR and one that attacks the files.

Here are some details about the test:
Screen shots:

dab46c7a7ea141f5a2464d591b22a3a7.png


4e5ff58f2ef64345b04ef321366d61a3.png


Thanks for the quick test.

I see that version of Tesla is digitally signed. Looks like that's throwing a wrench in the detection heuristics. A few tweaks and an update will be posted shortly. Thanks again.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top