App Review RANSTOP against ransomware

[cruelsister]

Harbor- About the Backup/Restore functionality of RanStop- It does make a backup of whatever directories you want it to (default being the Users space) as well as various file extensions that are not already on a rather extensive list. But if the auto restore function does not kick in, which will happen if Ranstop is confronted by a non-typical encryption routine, stuff can be restored quite easily by choosing them under the Recovery tab and clicking Restore. Even I can't criticize this process and I'm bitchy from Jet-Lag.

Calin- that was a pretty significant protection upgrade in the new (24.3) build. Give whoever was responsible a raise in pay.

That being said, back to bed...

 

[jamescv7]

Definitely in this video, the backup mechanism is indeed effective although in terms of detection where everything is hit and miss.

You cannot blame to the developer if the protection concept is not responsive compare to others, since it will scan on signatures or generic detection for the related ransomware strain.

+ Some of the ransomware have delayed execution in order to halt the scan operation of the security product.

 

[erreale]

Definitely in this video, the backup mechanism is indeed effective although in terms of detection where everything is hit and miss.

You cannot blame to the developer if the protection concept is not responsive compare to others, since it will scan on signatures or generic detection for the related ransomware strain.

+ Some of the ransomware have delayed execution in order to halt the scan operation of the security product.

I never blamed anyone about the RANSTOP operation. I do not dare to criticize the developer.

 

[jamescv7]

@erreale: Well I'm just saying in a descriptive form , I think the correct term is 'insist'.

 

[CalinGhibu]

Revenge was detected as a suspicious mass delete operation because unlike others, it performs a simple delete operation (not a safe delete operation) similar to cases where a user simply deletes multiple files from Windows Explorer. It is good to know that the files were recoverable (the point of this software).
With the build on Friday, (Your install should notify that there is an updated build), Revenge is detected as ransomware activity and stopped.

Thank you once again for these tests!!!!

 

[CalinGhibu]

@cruelsister thank you, messaged relayed over to devs via email.
Regarding the tests, we appreciate all of them. If there are comments or concerns, we will post them. I think tests are very important for improving. Any vendor should be concerned about improving their product.
@erreale Criticism is also welcome, if provided in fairness, so no problem there We do not claim to be perfect, but we are committed to improve.
@jamescv7 Thanks for the feedback, you are correct regarding delayed execution.

 

[cruelsister]

James- I'm really starting to get very annoyed at the Sleep delays; I don't know if you can confirm, but I've seen a great deal more of these than VM/Environmentally aware samples lately. Personally I always was fearful that the Hats would finally realize that this method was more efficient and equally effective- it also makes preliminary analysis more time consuming and is really pissing me off- and they should know better than to piss me off...

Calin- First off, all Revenge variants are not alike (hint). Second, I wonder as the development process of your product is ongoing if you would consider a test using the classics from the past (ransomware acting by diverse mechanisms) both valid and helpful. I normally like to use fresh samples, but am wondering if there would be a point in doing this. Third (and final)- I've co-opted a recipe for Chicken 65 where I marinate the chicken in a Louisiana Hot sauce for 24 hours before proceeding. It's really kick-ass (I'm not from India so you have to let me slide).

M

 

[CalinGhibu]

James- I'm really starting to get very annoyed at the Sleep delays; I don't know if you can confirm, but I've seen a great deal more of these than VM/Environmentally aware samples lately. Personally I always was fearful that the Hats would finally realize that this method was more efficient and equally effective- it also makes preliminary analysis more time consuming and is really pissing me off- and they should know better than to piss me off...

Calin- First off, all Revenge variants are not alike (hint). Second, I wonder as the development process of your product is ongoing if you would consider a test using the classics from the past (ransomware acting by diverse mechanisms) both valid and helpful. I normally like to use fresh samples, but am wondering if there would be a point in doing this. Third (and final)- I've co-opted a recipe for Chicken 65 where I marinate the chicken in a Louisiana Hot sauce for 24 hours before proceeding. It's really kick-ass (I'm not from India so you have to let me slide).

M

Indeed, they are not all the same (our colleague here who tested first had sent us the samples - grazie ancora @erreale ). Yes, we tested first with the classics and did ok with CryptoLocker and Locky, as well as other samples (I have a list somewhere - I will share it as soon as I find it). At that point we had had issues with Petya - serious issues, one month before we released the beta. We addressed the issues at that point, thus covering for other similar (MBR attacking) ransomware. Then there are the replacers that caused us some issues with their relatively low fingerprint in terms of file access patterns (they simply read stuff and write stuff to files - no encrypted containers, no delete operations,etc). Those were the last category to be addressed.
The big challenge for us is finding a balance. Our detection engine can be throttled. We can make it more or less aggressive when asserting process/program activity. However there needs to be a balance so that we avoid false positives. More aggressive settings start to backfire when certain legitimate backup / updating applications do their jobs.
I think it makes sense to use classic samples for tests because of the following reasons:
- nowadays you can rent ransomware-as-a-service and deliver your own attack. For 60 bucks or sometimes even for free (but for a % off the ransom) you simply go to a web page, select your sample, packaging, obfuscation code and run your own phishing campaign. Most those are still based on classic samples, although for some versions there are decryption tools available. So we are going to see such attacks still, and prevention is a better option than recovery
- the classics define several categories of ransomware so these make up a good starting point;

Bon apetit! Perhaps you can share the recipe.

 

[Der.Reisende]

Indeed, they are not all the same (our colleague here who tested first had sent us the samples - grazie ancora @erreale ). Yes, we tested first with the classics and did ok with CryptoLocker and Locky, as well as other samples (I have a list somewhere - I will share it as soon as I find it). At that point we had had issues with Petya - serious issues, one month before we released the beta. We addressed the issues at that point, thus covering for other similar (MBR attacking) ransomware. Then there are the replacers that caused us some issues with their relatively low fingerprint in terms of file access patterns (they simply read stuff and write stuff to files - no encrypted containers, no delete operations,etc). Those were the last category to be addressed.
The big challenge for us is finding a balance. Our detection engine can be throttled. We can make it more or less aggressive when asserting process/program activity. However there needs to be a balance so that we avoid false positives. More aggressive settings start to backfire when certain legitimate backup / updating applications do their jobs.
I think it makes sense to use classic samples for tests because of the following reasons:
- nowadays you can rent ransomware-as-a-service and deliver your own attack. For 60 bucks or sometimes even for free (but for a % off the ransom) you simply go to a web page, select your sample, packaging, obfuscation code and run your own phishing campaign. Most those are still based on classic samples, although for some versions there are decryption tools available. So we are going to see such attacks still, and prevention is a better option than recovery
- the classics define several categories of ransomware so these make up a good starting point;

Bon apetit! Perhaps you can share the recipe.

Sorry for hijacking that discussion of you 2, had a quick (and 1st) test of the software today, attracted by the vid reviews, the discussions on the product due to that and @cruelsister stating that the latest build has improved a lot.
Did an impressive job (inside ShadowDefender containment) against both MBR ransomware specials and the more common variants. Only Matrix Ransomware wasn't stopped instantly, just after harming some files (recovery wasn't an issue at all). However did not try any Screenlocker.

Looking forward to both the list you named and @cruelsister 's vid demonstration on your product.

@cruelsister your recipe sounds delicious indeed!

 

[cruelsister]

Regarding the MFT/MBR lockers, one really has only the Petya's (Red, Green, Yellow) and Satana1 and 2. last week for giggles I ran them all, and the Satana's were outright blocked (except Satana2 was able to drop a ransom text box into startup; but this is so trivial that I'm embarrassed to write it). Of the Petya's, Red and Yellow just pounded away in RAM totally in vain, and Greenie caused an almost immediate system reboot. But on no occasion did any system damage present. So you guys have these types covered.

DR- The difference in the builds was massive. When considering the ransomware that is actually being pushed out currently Ranstop improved dramatically. But by using legacy (no longer in general circulation) ransomware for a test I often obsess over whether I'm being helpful in development or just being nasty.

Whatever, all this talk of Indian products makes me hungry so it's time for a trip to my favorite restaurant, Shiva's Revenge (Ah, Vindaloo!!! Yum, yum gimme sum...).

 

[erreale]

Revenge was detected as a suspicious mass delete operation because unlike others, it performs a simple delete operation (not a safe delete operation) similar to cases where a user simply deletes multiple files from Windows Explorer. It is good to know that the files were recoverable (the point of this software).
With the build on Friday, (Your install should notify that there is an updated build), Revenge is detected as ransomware activity and stopped.

Thank you once again for these tests!!!!

How can I get the latest updated build?
Thanks

 

[CalinGhibu]

@erreale I have just sent you a private message

 

[CalinGhibu]

@HarborFront I owe you a reply to question #2 concerning GPT drives. We protect the MBR on such drivers too. So answer is yes. The protection consists in not allowing processes to tamper with it. There are no recovery options, but it should be impossible to write to the MBR sectors.

 

[HarborFront]

For 1, we use file access pattern analysis to detect ransomware, so we detect any ransomware, not just particular families.
For 2 I do not know, I will ask.

Is file access analysis the same as behavior analysis or is it a subset of it? Or maybe you can elaborate more in its analysis?

Thanks

 

[CalinGhibu]

Is file access analysis the same as behavior analysis or is it a subset of it? Or maybe you can elaborate more in its analysis?

Thanks

File access analytics is complementary to user behavior analysis (or a subset of application behavior analysis) focused on file activity. Both UBA and ABA may include file access monitoring to different degrees. However the file related stuff usually included is based on basic file operations - the operations reported by the operating system (read, write, change attributes). Some SIEM solutions include event log based (object access auditing where object type = file) to meet the same goals.

From our perspective, the above is not enough to deliver a use case related to ransomware because of the limitations in terms of file actions being reported by the operating system.

Hence we implemented a system which collects the above basic file operation activity in Kernel mode, and on top of it, we have added an in-memory correlation engine that gets fed the information from the driver. Based on it and other parameters (like checksums, etc) it is able to ascertain when malicious file activity occurs (identify more complex file operations such as content replacement, file copy - seen as a read/write operation, file archiving etc.. Next there is functionality to control those processes that exhibit such behavior, protect the files, recover, etc.

 

[HarborFront]

@CalinGhibu

Hi, can I check whether Ranstop has self protection against malware attacks? Thanks