App Review TEMASOFT Ranstop handles over-the-network ransomware attack

[CalinGhibu]

In this scenario, the ransomware attack comes over the network via mapped drives. There are two computers involved:
- one running the Satana variant, without any protection installed and having a mapped drive to the second computer;
- the second computer has TEMASOFT Ranstop installed, with protection enabled.

The ransomware sample is a Satana variant (similar to Petya). Virustotal details here: Antivirus scan for 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96 at 2017-03-22 04:54:55 UTC - VirusTotal
Os of both machines is Windows 10.

This use case is important because ransomware loves mapped drives. Most start to encrypt those along with the local drive because they know they are reaching beyond the infected machine. Here are the challenges for the security products in this case:

• There is no malicious code running on the machine having the anti-ransomware solution installed (on the protected computer);
• The remote encryption started on the infected machine, is carried out on the protected machine by system processes through file operations similar to the ones that are used by employees;
• The infected computer has no protection, meaning that the ransomware attack over the network is persistent and takes place for as long as the ransomware finds files to encrypt and a network connection is available.

TEMASOFT Ranstop detects the over-the-network attack carried out from the infected machine. It alerts the user and logs an incident in the central console. Even though it cannot stop the system process, which does the actual encryption, it still recovers the affected files automatically. Most ransomware will not attempt a second encryption. If it happens, recovery will take place again. In order to stop the attack completely, TEMASOFT Ranstop needs to be configured to disable the network interface when an incident is detected. Like that, the network connection is cut and the remote encryption stops.

 

[Amelith Nargothrond]

Hi Calin,

Interesting video/product. But what if, because of the network attack, PC2 will become unusable? Say, it will encrypt some system related files and the OS will not boot or it will crash? How can the user/sysadmin/anybody recover the files afterwards?

 

[CalinGhibu]

In that case, you can recover the files by first repairing the system, installing the product and using the restore functionality in TEMASOFT
Ranstop to recover the original files. System restore can be tricky as it could lead to data loss (Ranstop backup folders and files).

If repair does not work for whatever reason – which is unlikely as the product protects the MBR – you can plug the HDD in another machine (or boot using another OS environment, e.g. WinPE from a USB flash drive), copy the backup folders to the newly installed machine, install TEMASOFT Ranstop and then use the restore functionality.

 

[Amelith Nargothrond]

So from what I understood, the worst case scenario is moving the infected hdd or moving the Ranstop backup folders to a new installation/pc/vm. Good to know.

I also noticed that I cannot temper, in any way, with the backup folders/files which Ranstop creates, while Ranstop is installed. This is intriguing. It's very well protected from common or even uncommon ways to edit/delete the contents of it. Very interesting, or I might say even assuring. I read in the manual that this is protected by a driver. I will get back to this though.

So basically, what you are saying is that in the worst case scenario, if Ranstop fails to stop the attack, you can't lose your files.

Tried to install Ranstop on a Server 2016 which is configured as a file server, but I could not (found in the manual that is it not supported), so I used Win10 to try it out. Will there be a separate "server edition" ?

 

[CalinGhibu]

Yes, we are going to have a server version, but I do not have a timeline for that yet.

 

[cruelsister]

If I can make a suggestion- concentrate first on stopping ransomware before thinking about a Server version.

In a fast run through of your product I found the Backup/Restore functionality to be very good. In addition to the default protection afforded, the ability to add other file types as well as the ease in adding other directories for protection is well done. Also, the restore process is, although not automatic, is quite easy to understand and implement.

However one must not lose sight that this at first an Anti-Ransomware application, and so it is important to differentiate it from well established backup/restore programs like Macrium. Personally I would rather restore a system that is ransomware infected by Macrium than to go to the trouble of:

a. restoring trashed files with Ranstop, then
b. using a third party security application to remove any ransomware with persistence functionality,
c. and then cleaning up the trashed files.

And this is assuming that the ransomware was not Fortress class and also trashed my Office applications which may or may not have been protected.

The point of the above is that I found that bypassing Ranstop was a rather trivial matter and this must be fixed soonest. I would have done a video on the above findings but I'm out of town.

M

 

[HarborFront]

@cruelsister

What do you think of this product vs AppCheck Pro? Which is the better of the two?

Thanks

 

[CalinGhibu]

@cruelsister

Hi M, many thanks for your comprehensive feedback, we really appreciate your time to look at our software and your contribution to the security community, on this forum and other resources.
Indeed, you are correct that this product is for combating ransomware. Its goal is not to compete with well-established backup or AV products. Such products have their well-defined roles and proven usability. The goal of the product is to stop ransomware as much as possible, and if something fails, to give user files (documents, images, etc) back to the victims.
It does not protect system files by default, as that is the job of backup products. It can be configured to do so, but it is beyond its purpose.
It brings value to backup products as it can give back important data, when it is caught by ransomware in-between incremental backups, and this as added functionality to the ransomware protection features.
Regarding bypassing Ranstop, can you please elaborate what do you mean? You have bypassed it in the sense that you could damage the files it places in the safe vault? Also if you shared with us a sample of fortress class ransomware, we would really appreciate it.
Thank you once again, and looking forward to more feedback.

 

[Amelith Nargothrond]

In my test environment, the restore process was automatic in case of a ransomware attack. And also stopped the ransomware samples I used. Got to make time to test others as well.

I almost agree with @cruelsister , by design, it's best to restore the entire system, with all the partitions and data, if:

1. you have an army of technicians available at any given time, to maintain and keep up-to-date (scheduled backups don't always work, you often have to maintain them <- this is my experience) and then restore if necessary, all those Macrium backups
2. if you have a lot of money to spend on Macrium licenses (my clients.. well, they don't); check their pricing plans
3. if you have a serious storage server(s) to handle multiple backups (full, incremental or differential) and store all those data (and also to protect it, as storage is vulnerable)

I personally prefer both. In an enterprise environment, I would (and I am) using Macrium for critical servers (as the server license is expensive) and use other solutions, like Ranstop or Appcheck, for workstations. But nevertheless I would install it on the server as well, if not, to protect other PCs in the network, again, not to waste time to restore macrium backups for more than the minimum number of pcs (if I could, but right now I don't, they don't support servers).

My dilemma as well, but I think I am choosing Ranstop, because they have backups with file versions (and they back up everything - configurable - after the install, not just when attacked). Though my second option I think it would be Appcheck. I still need time to test.

By the way guys, are there any other similar apps out there? Proactive protection at kernel level + automatic backup + automatic restore?

 

[codswollip]

While there is some advantage in retrieving WIP files not present in the recent image incremental, having done so, I would insist upon a full reimage of a previously infected machine as a matter of good security practice. Whether the advantage to recover files created/modified in that past 24 hours is a significant benefit, I'm uncertain.

 

[Handsome Recluse]

@Amelith Nargothrond Rollback is different from Macrium although something to consider since it's easy and fast. I agree with you that the speed, ease of use and ease of micromanageability of this and Appcheck is better. Efficiency is after all a business and productivity need. Also this kind of app might actually be a thing. We have Ranstop and Appcheck now.

 

[CalinGhibu]

@Telos, the advantage depends on the dynamics and the importance of the files. If you are a professional photographer and you have worked all day to wrap up your latest event for delivery, then got hit by ransomware sometimes in your afternoon, yesterday's backups may not help.
Extending this to financial consultants, private medical practitioners or companies generating important information, the advantage obviously grows.

One point to bear in mind is that total system failure by ransomware whilst being protected by this product (or a similarly specialized tool) and an AV product of your choice (as we recommend) is highly unlikely in normal working conditions. The aim of such a combination is to decrease the odds of that happening from where it is (according to Osterman Research, in the US, ransomware has a 39% penetration rate when attacking businesses, most protected by normal anti-virus solutions) to just below 100%. It may be a pain to recover when that unlikely situation happens, and you are correct to suggest a full system restore at that point. Cool thing, in that case, is you get your documents back too if you need them.

 

[Amelith Nargothrond]

While there is some advantage in retrieving WIP files not present in the recent image incremental, having done so, I would insist upon a full reimage of a previously infected machine as a matter of good security practice. Whether the advantage to recover files created/modified in that past 24 hours is a significant benefit, I'm uncertain.

What about databases? I have a client, which is actually a medical institute with many critical servers with databases. If, by some disaster, I manage to lose 5 minutes of activity from their databases, I literally think they would ran me over with a tramway.

 

[Luke17]

@cruelsister, can you please provide more details about your tests, i.e. how many samples you used and what was the detection/blocking rate of Ranstop. Also if you ran multiple samples, did you run them in the same time ?
Thank you.

 

[codswollip]

If you are a professional photographer and you have worked all day to wrap up your latest event for delivery, then got hit by ransomware sometimes in your afternoon, yesterday's backups may not help.
Extending this to financial consultants, private medical practitioners or companies generating important information, the advantage obviously grows.

I understand that in a commercial environment needs differ in contrast to individual users. My fundamental system security is through Comodo Firewall, Qihoo and optionally, VoodooShield, and I view my ransomware vulnerability as quite modest. If I lost files to ransomware, I'd be ticked, but not entirely immobilized having what is basically 12-hour image fall back.

I'm looking forward to 3rd-party challenges that demonstrate the effectiveness of your ransomware interception, and as a last resort, file restoration.

 

[cruelsister]

HI Guys- Sorry for the delay in response but I had to finish up my work in order to fly back home today. I hope to complete a video (I will) this weekend for publication early next week.

Calin- I did not mean to imply in any way that the backup files were trashed. Far from it! I found the system you employ to Backup and Restore compromised files to be excellent. Although one can never rule out a breach of this system, it would take a targeted attack and much work (even if it were possible). I feel the chance of anyone ever seeing such a breach to be non-existent in Real Life.

Luke- 1). as this preliminary test was my first experience with Ranstop, I did what I always do- acquire ransomware samples that are in wide distribution on a given day that have not showed up before. So no crappy script-kiddies stuff nor malware that is targeted for a small population are used. Mostly these are the malware files that are carried via exploits on infected pages or more commonly Bot distributed email attachments to the Masses.

2). Although I will never (ever) run malware samples simultaneously, sometimes I will run them sequentially. By this I mean that I will never run the second sample on the same machine until and unless the preceding sample has been stopped and is no longer active in any way. Also, obviously if a ransomware sample ever makes it through a new system will be used thereafter; but also occasionally the encryption process will be stopped, but the malware vector itself will still be active pounding away in vain- this case would also necessitate a new system.

(Minor Rant begins) But on this topic- I found it hilarious that a certain developer brought up the exact same point about their product which I trashed numerous times in the past. I actually lowered myself to do an Addendum video because of this. I've found that such jive-time arguments are often the last refuge for the coders of a sub-optimal application (Minor Rant Ends).

Harbor- You point about a Ranstop and Appcheck comparison is an excellent one. I've been thinking about the same thing (Great Minds think Alike!!!) and am unsure how to implement it in a fair manner...

(Time to Fly)

 

[Handsome Recluse]

I understand that in a commercial environment needs differ in contrast to individual users. My fundamental system security is through Comodo Firewall, Qihoo and optionally, VoodooShield, and I view my ransomware vulnerability as quite modest. If I lost files to ransomware, I'd be ticked, but not entirely immobilized having what is basically 12-hour image fall back.

I'm looking forward to 3rd-party challenges that demonstrate the effectiveness of your ransomware interception, and as a last resort, file restoration.

Can't blame people for striving for higher efficiency. Besides, just as relevant or maybe more is the home user's smaller target.

Harbor- You point about a Ranstop and Appcheck comparison is an excellent one. I've been thinking about the same thing (Great Minds think Alike!!!) and am unsure how to implement it in a fair manner...

(Time to Fly)

Always the perfectionist?

 

[HarborFront]

HI Guys- Sorry for the delay in response but I had to finish up my work in order to fly back home today. I hope to complete a video (I will) this weekend for publication early next week.

Harbor- You point about a Ranstop and Appcheck comparison is an excellent one. I've been thinking about the same thing (Great Minds think Alike!!!) and am unsure how to implement it in a fair manner...

(Time to Fly)

Simple. Have the same and number of work files on the system for them to infect and run both with the same ransomware samples. See who gets infected by what ransomware and the effectiveness of their file recovery.

Do a comparison video of both side-by-side. That'll be great.

Thanks

 

[Luke17]

@cruelsister , thank you very much for the information! I look forward to the video.

 

[CalinGhibu]

@cruelsister
Hey, for the video please consider our latest update (17.3.24.3).
Thanks!