New antiransomware product: RansomFree

[HarborFront]

It's based on dynamic analysis, but that doesn't mean it will detect all ransomware. It's already failed in some tests by @Av Gurus since it failed to protect against Petya, which is a more sophisticated ransomware threat (than your average) which works by targeting the Master Boot Record.

It seems this product works by placing files around as bait to catch out programs attempting to encrypt the data within these bait test files.

So it works similarly like a honeypot. Petya is no longer considered a new ransomware. I can understand if you say that this product cannot detect a new ransomware of tomorrow but to not able to detect a yesterday ransomware seems strange.

Then do you feel safe having this product on your PC?

 

[Andrew999]

Is this product better than Malwarebytes 3.0 Anti Ransomware?

 

[Wave]

So it works similarly like a honeypot. Petya is no longer considered a new ransomware. I can understand if you say that this product cannot detect a new ransomware of tomorrow but to not able to detect a yesterday ransomware seems strange.

It's not as simple as you think; Petya targets the Master Boot Record for infection, therefore the software would need to implement protection mechanisms against MBR modifications - the developers may not want to expand to protection against the MBR but focus on mitigating standard ransomware threats instead, which work at a normal user-mode level without relying on MBR infection (and then reboot for the infection code to be executed at boot).

Petya is not new ransomware however it's not about whether it's new or not, it's about the techniques it uses. Malware is always evolving and therefore it is definitely important to keep up with the latest methods being used to protect against them, however I think you'll find that a majority of ransomware will encrypt from a user-mode level, and won't do things like MBR infection (bootkit behavior).

Nothing is full-proof, you cannot expect it to detect 100% of ransomware... No security product can do this, not statically nor dynamically - that's an impossible task.

I think that this product needs to be tested more before a real verdict can be made on it; we should also let it continue to mature through updates as it seems fairly new.

 

[Wave]

Is this product better than Malwarebytes 3.0 Anti Ransomware?

Both anti-ransomware components will work differently in some ways, therefore you cannot take one and say it is better than the other just like that... Especially without analyzing in detail how each of them work and comparing the techniques applied for the ransomware mitigation.

That being said, at this moment in time I would rate Malwarebytes 3.0 Anti-Ransomware component as more reliable, since it comes from a well-known publisher (Malwarebytes), whereas this software seems to still be in-development (correct me if I am wrong) and fairly new?

It needs to be tested more thoroughly.

 

[HarborFront]

Interesting that this product does not indicate the types or families of ransomware its effective against. Other developers normally they would indicate so

 

[XhenEd]

Interesting that this product does not indicate the types or families of ransomware its effective against. Other developers normally they would indicate so

That's not surprising, to me. It boils down to marketing strategy of the makers of the software, whether they want to tell which ransomware it is effective against or not. For some, just saying that it is "anti-ransomware" is enough to get anyone to buy, even if the software is effective only against some families of ransomware. Example is this software and Kaspersky Anti-Ransomware for Business.

Edit:
Cybereason does indicate some here: Q&A - RansomFree

 

[Wave]

Interesting that this product does not indicate the types or families of ransomware its effective against. Other developers normally they would indicate so

That is because it's not necessarily going to target specific families, it doesn't work the same as some other anti-ransomware products - when it blocks a program it won't know if it really is ransomware or not, it will just block due to the suspicious behavior (e.g. enumerating through lots of files -> performing write operations on the collected files for encryption, etc).

If the product is monitoring the running programs to catch out when a program attempts to open a handle to one of it's bait files to perform a write operation for encryption of it, then it will probably identify this behavior in it's traps and then block until further user interaction to decide what to do... How do you expect it to know which family of ransomware it is? It cannot identify the RSA-2048 encryption and automatically assume it's CryptoLocker! Of course, if the ransomware managed to change the file extension prior to the block and the file extension was in a known static database of being linked to a specific family then that could be an identifier, or the help file, but the point is to block as quickly as possible before much damage is done, therefore the product won't want you to hit that stage.

Some anti-ransomware components in other security software will rely either more on static analysis, or a mix of both static and dynamic... And therefore, they can include generic detection's for known ransomware types (e.g. CryptoLocker, Petya, GoldenEye), thus allowing them to prevent execution of these samples before it actually runs and performs any actions... This explains why Kaspersky Anti-Ransomware tool managed to block all the samples in the review that The PC Security Channel made awhile ago before the samples even ran properly to attempt to execute any actions on the system - it didn't get a chance because it was obviously blocked by static methods (e.g. generic detection's).

Regarding these dynamic utilities for ransomware mitigation, it's not supposed to identify whether it's really ransomware or not... There are so many factors involved that it cannot always be certain: what if it's just a genuine encryption tool? In the case of identification of encryption, the user would be notified to decide with further user interaction on what to do... If you get an alert out the blue saying a program you didn't even know was running (which is not digitally signed or part of any genuine software you use) called "cheekyme.exe" has apparently been attempting to encrypt files in the Documents area then obviously the result would be to block. It has to be used properly and the user needs to understand how the alerts work to make the correct decision, just like with a BB/HIPS product.

The above is a concept on how I understand the product works based on previous intelligence shared in the thread by other members, hopefully it helped.

 

[HarborFront]

That's not surprising, to me. It boils down to marketing strategy of the makers of the software, whether they want to tell which ransomware it is effective against or not. For some, just saying that it is "anti-ransomware" is enough to get anyone to buy, even if the software is effective only against some families of ransomware. Example is this software and Kaspersky Anti-Ransomware for Business.

Edit:
Cybereason does indicate some here: Q&A - RansomFree

Thanks. So it's effective against

RansomFree protects against 99% of ransomware strains. It was found effective against dozens of ransomware types, including the notorious Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber.

No wonder it fails for Petya

 

[Wave]

Thanks. So it's effective against

RansomFree protects against 99% of ransomware strains. It was found effective against dozens of ransomware types, including the notorious Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber.

No wonder it fails for Petya

It's just marketing, ignore the whole "protects against 99% of ransomware strains"... They just want people to use the product. All in all it can probably do a good job towards at least average normal ransomware threats which stick to higher-up methods, unlike with Petya with the low-level methods of MBR infection.

Test it out in a Virtual Machine and get a personal verdict on the software; you can never be sure before you test it yourself, and our personal opinions/guesses are not reliable to base an opinion on the product's effectiveness.

 

[HarborFront]

Here are some anti-ransomware products designed for certain types/families of ransomware. Info taken from the net.

BitDefender AntiRansom Tool

Next-gen ransomware protection against CTB-Locker, Locky, Petya and TeslaCrypt ransomware families

RansomFree

RansomFree protects against 99% of ransomware strains. It was found effective against dozens of ransomware types, including the notorious Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber.

SBGuard Anti-Ransomware

It protects your Windows PC against all known Ransomware malware, such as CryptoLocker, CryptoWall, TeslaCrypt, CryptoXXX, CTB-Locker, Zepto and many others

Kaspersky Anti-Ransom Tool

Kaspersky Anti-Ransomware Tool was developed to protect from a particular type of cyber threat – ransomware. The utility is concentrated on the most devastating variant of this virus family, known as cryptomalware.

HitmanPro.Alert

HitmanPro.Alert blocks the core techniques and exploits malware uses to hide from antivirus software. It also detects intruders like banking malware, remote access tools, and crypto-ransomware, simply by observing the behaviors that these threats exhibit.

Note :- If I'm not wrong Kaspersky and HMPA should be protecting against the same crypto family of ransomware

I can't find MalwareBytes 3.0 anti-ransom component is protecting against what types/families as it only mentions it uses behavior detection. Anyone knows?

From the above different products it seems for an effective protection against ransomwares you'll need BD, RansomFree and either Kaspersky or HMPA.

 

[XhenEd]

From the above different products it seems for an effective protection against ransomwares you'll need BD, RansomFree and either Kaspersky or HMPA.

Again, don't just trust what these products say. Just because they say this and that, it does not mean that they are effective against all ransomware.

You say BD AntiRansomware seems to be very effective against ransomware. But recent tests already show how basic it is. In short, it failed to block certain ransomware. To be fair to BD, though, it's clearly stated that it only protects against specific ransomware type.

RansomFree was just tested by @Av Gurus, and it failed. KAR was tested by cruelsister, and it failed. HMP.A was tested, and it failed. Of course, to be fair to all of them, they are effective against some, if not many. So, at least, you can still be protected by them.

 

[HarborFront]

Again, don't just trust what these products say. Just because they say this and that, it does not mean that they are effective against all ransomware.

You say BD AntiRansomware seems to be very effective against ransomware. But recent tests already show how basic it is. In short, it failed to block certain ransomware. To be fair to BD, though, it's clearly stated that it only protects against specific ransomware type.

RansomFree was just tested by @Av Gurus, and it failed. KAR was tested by cruelsister, and it failed. HMP.A was tested, and it failed. Of course, to be fair to all of them, they are effective against some, if not many. So, at least, you can still be protected by them.

Each anti-ransomware product is good against certain types of ransomware. If you use a ransomware against the product which it is not protecting then the product will fail. This is obvious like testing Petya against RansomFree. Similarly, I believe the product itself cannot protect against all strains in the same family of ransomware.

However, using a combo of say BD, RansomFree and Kaspersky(or HMPA) is still better than just using one

Thanks

 

[XhenEd]

Each anti-ransomware product is good against certain types of ransomware. If you use a ransomware against the product which it is not protecting then the product will fail. This is obvious like testing Petya against RansomFree. Similarly, I believe the product itself cannot protect against all strains in the same family of ransomware.

However, using a combo of say BD, RansomFree and Kaspersky(or HMPA) is still better than just using one

Thanks

I now see your point.

You're saying to have a multi-layered anti-ransomware security. The problem with that, however, is possible compatibility issues. Although I wouldn't install too many stand-alone anti-ransomware, I don't see any real problem installing them, if there are no compatibility issues.

For me, default-deny (with good whitelist) is the way to go. I'm talking about Kaspersky with TAM turned On.

As for RansomFree, I have no real problems with it dropping files. But I hope they will hide them, so that they won't be an eye-sore.

 

[Azure]

Again, don't just trust what these products say. Just because they say this and that, it does not mean that they are effective against all ransomware.

You say BD AntiRansomware seems to be very effective against ransomware. But recent tests already show how basic it is. In short, it failed to block certain ransomware. To be fair to BD, though, it's clearly stated that it only protects against specific ransomware type.

RansomFree was just tested by @Av Gurus, and it failed. KAR was tested by cruelsister, and it failed. HMP.A was tested, and it failed. Of course, to be fair to all of them, they are effective against some, if not many. So, at least, you can still be protected by them.

So, no one has yet to test SBGuard? I have been wondering how effective it would be against ransomware. Since as opposed to the others it claims it doesn't rely on signature or behavior but policy restriction.

 

[XhenEd]

So, no one has yet to test SBGuard? I have been wondering how effective it would be against ransomware. Since as opposed to the others it claims it doesn't rely on signature or behavior but policy restriction.

I'm not aware if anyone has already tested SBGuard. Maybe some already have.

 

[shmu26]

how common is petya-type ransomware these days?

It looks like RansomFree is pretty good against other types.

and what is effective against petya?

 

[XhenEd]

how common is petya-type ransomware these days?

It looks like RansomFree is pretty good against other types.

and what is effective against petya?

I'm not sure if I'm correct, but HMP.A's CryptoGuard has MBR protection. So, HMP.A might be effective against it.

 

[XhenEd]

Fabian's comments about RansomFree (implying also others):
RansomFree Is the Latest App That Tries to Stop Ransomware Infections on Windows
RansomFree by Cybereason

 

[SHvFl]

Fabian's comments about RansomFree (implying also others):
RansomFree Is the Latest App That Tries to Stop Ransomware Infections on Windows
RansomFree by Cybereason

Damn i can see the future and this is a totally useless application. Praise your fortune teller Mr. Cat.

 

[KGBagent47]

This app drops some strange folders around. The one on the desktop is titled "Please don't remove me as I am here to help Cyberreason protect your computer". I opened the folder and everything looks like you've been hit with a ransomeware attack . After I pulled my heart back in my body, I realized that it could be part of the app and then found more folders in the Documents area. The files inside each folder were one each of all kinds of files. So what, the program makes these files the targets of the ransomeware? idk. Kind of creepy to look at for the first time though. I think hidden files have to be set to show to see the folders.

I have docs in other places, so I wondered if they would be protected with this setup. I noticed the folder(s) wasn't present in them. If anyone has this installed, you might check secondary drives to see if the folder is there too. I forgot to look before I unistalled. Not jumping off here, gonna wait to hear more about the app I think.

That's really interesting it seems like they put a honeypot on the end users system.