App Review RansomOff - First Look at New User Interface

[cruelsister]

Funny you should ask as I was screwing around with the bunch earlier this week with a specific focus on modified NotPetya variants. The most impressive result came from an application that I mercilessly mocked in the past, that being RansomFree. Not wanting to accept that either they improved or (God Forbid!) that I could have been wrong I also added on some other nasties and sadly got a very good (perfect for my malware set) result. As I misplaced my Ranstop credential so I couldn't test that one.

So although both Ranstop and AppCheck have excellent backup options I question efficacy of AC due to the NP result; jury is still out on Ranstop until I can test it.
That leaves Ransomfree and RansomOff. Once RansomOff comes out of RC status it may (will) have the greater utility due the HIPS, but the HIPS settings have to be optimized some way to prevent FP's. RansmomFree has improved and I guess can now be considered a viable option.

 

[HeiDef]

IMO, the color of black and grey combo is a poor choice. Maybe you can come out with a few GUIs with different color selection for the user to choose

Thanks. We changed some things up a bit from the video but it still has a dark layout. Once we finally get the updated release out maybe we will go back and add an option so you can select a light or dark layout.

Speaking of the updated release, it should be any day now. There are just a few finishing touches left.

 

[HeiDef]

Wow! Great software. For free as well?! I'm going to look into this even more now. How new is this software? To be honest I haven't heard about this software before.

We released it back in March so a few months old but always constantly evolving and improving.

 

[HarborFront]

@HeiDef

I refer to the features listed on your website particularly

Heilig Defense RansomOff

Startup change detection
System file change detection
Process hollowing detection

Are these protected by RansonOff besides just detection? It's no point having detection without protection.

One suggestion. Can you show what ransomware are being protected against by RansomOff on your website like when the ransomware was neutralized etc This allows the user to know the effectiveness of RansomOff against the latest ransomware. Maybe the earlier ones you can lump them together but starting with some of the latest ones, say for the past 2 months or so, can you assign some dates to them?

Thanks

 

[HeiDef]

Anker- when you are testing it please note the various settings for the HIPS (which is a good thing). A balance must be struck between applying the settings that will stop malware while also leaving those settings that will trigger FP's alone. I know there is an optimal configuration but only folk like you will lead us into the light!

However I will say that in the short time I had my way with RO I was impressed by its ability to squash worms (even those with unconventional persistence mechanisms) as well as it being able to stop a very nasty RAT. I actually completed a video about the latter last week but am reticent to publish it as I'm not sure of the proper settings to be used to yield real-world applicability.

RO does some analysis on the actions to filter out legit operations but like you said, the tuning of the HIPS settings as well as any exemptions goes a long way in preventing unnecessary notifications.

 

[HeiDef]

@HeiDef

I refer to the features listed on your website particularly

Heilig Defense RansomOff

Startup change detection
System file change detection
Process hollowing detection

Are these protected by RansonOff besides just detection? It's no point having detection without protection.

One suggestion. Can you show what ransomware are being protected against by RansomOff on your website like when the ransomware was neutralized etc This allows the user to know the effectiveness of RansomOff against the latest ransomware.

Thanks

With the addition of the new HIPS settings in the soon-to-be-released version, all of the things that RO detects can be blocked at the point in time of notification.

For the website, do you mean just a list of ransomware families RO protects against? Or video demos of new ransomware strains?

 

[HarborFront]

With the addition of the new HIPS settings in the soon-to-be-released version, all of the things that RO detects can be blocked at the point in time of notification.

For the website, do you mean just a list of ransomware families RO protects against? Or video demos of new ransomware strains?

That's great. Waiting for the official release then.

No need video. Just a tabulated reverse chronological listing with dates and status will do. This will keep the user informed of the latest ransomware and the speed at which RansomOff can neutralized them e.g. of status like 'Neutralized', 'Working On It' etc

A table like

Name of Ransomware............Status.............Date Neutralized

Thanks

 

[HeiDef]

That's great. Waiting for the official release then.

No need video. Just a tabulated reverse chronological listing with dates and status will do. This will keep the user informed of the latest ransomware and the speed at which RansomOff can neutralized them e.g. of status like 'Neutralized', 'Working On It' etc

A table like

Name of Ransomware............Status.............Date Neutralized

Thanks

RansomOff is signature-less so the neutralized date should be whatever date the ransomware is released. Now obviously no software is 100% but for the most part RO can handle the majority of ransomware as it comes out.

But I understand your point. A website refresh is on our to-do list which will make it more informative of RO's capabilities.

 

[cruelsister]

Guys- I came to my senses and will be publishing the RansomOff vs RAT video tonight before I go out. This will be for a single RAT sample but will indeed demonstrate the HIPS.

Plus the song is too pretty to waste...

Correction to a previous post above- Although RansomFree did indeed stop BadRabbit and the initial NotPetya malware that I tried, my cat re-coded NotPetya (Ophelia is such a bitch) and RansomFree failed.

 

[Lightning_Brian]

We released it back in March so a few months old but always constantly evolving and improving.

@HeiDef Nice! I'll be putting this software to test in my virtual machine sometime soon. I'm really liking everything I'm seeing thus far. I'm quite excited about this software.

@cruelsister Thanks for publishing the videos. Nicely done!

 

[paulderdash]

... that I could have been wrong ...

God forbid! Ophelia is clearly on your side .

 

[codswollip]

@Trickster GUI interface is like a girl.
SHvFl like this girl but you like that girl.
Is your girl ugly? NO
IS @SHvFl GF ugly? Nah
I mean it's about Tastes:notworthy:i like this Gui but another one may dislike it

Agree 100%.

I seldom interface with the GUI. Set and forget. And should ransomware raise its head, I shan't complain of how my rescuer clothes herself.

 

[HarborFront]

@HeiDef

Your website says RansomOff detects and defeats the latest threats with Next-Gen defense by using machine learning techniques to evaluate and stop threats in real-time, even unknown ones.

Heilig Defense

So do you consider RansomOff as a TRULY Next-Gen security software?

Thanks

 

[HeiDef]

@HeiDef

Your website says RansomOff detects and defeats the latest threats with Next-Gen defense by using machine learning techniques to evaluate and stop threats in real-time, even unknown ones.

Heilig Defense

So do you consider RansomOff as a TRULY Next-Gen security software?

Thanks

Our other security product, Correlate, uses ML techniques. RansomOff does not. But I can see how the website could confuse. I'm not sure if the term next-gen has a standard definition but I've generally taken it to mean a signature-less solution able to handle new and emerging threats. In that case, RansomOff fits that definition. So depending on how you define next-gen, your mileage may vary.

 

[plat1098]

With the addition of the new HIPS settings in the soon-to-be-released version, all of the things that RO detects can be blocked at the point in time of notification.

You got HIPS coming up? Count me in. If successful, this may replace some redundant and therefore unnecessary software and settings. I'll be watching.

 

[bjm_]

Please do not install RansomOff at this time if you have Secure Boot enabled.
?
isn't there a real security advantages to having Secure Boot enabled

Edit:

@shmu26 Not all Windows 10 w/ secure boot has the issue but only more recent updates (1607+). Either way, we are getting the drivers cross signed for this release so there shouldn't be any boot issues in the future. #13

 

[boredog]

@cruelsister Thanks for publishing the videos. Nicely done!

Where is the new video link posted?

 

[paulderdash]

Please do not install RansomOff at this time if you have Secure Boot enabled.
?

Yikes, I wasn't even aware of this, but I haven't had a problem on my old Dell XPS with Win 10 Pro x64 v1709 16299.19 with Secure Boot enabled.

 

[shmu26]

Yikes, I wasn't even aware of this, but I haven't had a problem on my old Dell XPS with Win 10 Pro x64 v1709 16299.19 with Secure Boot enabled.

I have two windows 10 machines, and one gives me stern warnings when the drivers are not co-signed by MS, while the other machine is more lenient. I don't understand why.
But if it works, it works.

 

[HeiDef]

I have two windows 10 machines, and one gives me stern warnings when the drivers are not co-signed by MS, while the other machine is more lenient. I don't understand why.
But if it works, it works.

Drivers must be co-signed by Microsoft for Windows 10 in version 1607 or greater except in these three situations.

• The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
• Secure Boot is off.
• Driver was signed with cross-signing certificate issued prior to July 29th 2015.