RansomFree: protect your PC against ransomware
RansomFree is a new free program for the Microsoft Windows operating system to protect your PC against ransomware attacks.
The program is fully compatible with 32-bit and 64-bit versions of Windows 7 and newer, as well as Windows server operating systems.
RansomFree needs to be installed on the target machine. The protection that it adds to the system is interesting, as it creates a number of files on the system that it monitors for changes.
These files use characters that place them at the top of the directory structure. The idea is that ransomware will parse for files using the same structure so that the created files will be targeted first by the attack.
The company behind the product believes that this is the best proactive way to detect ransomware on a PC at the earliest.
RansomFree
The folder name at the very least seems to be randomized during creation, and this is probably also the case for the files that are placed inside the folders the program creates.
Ransomfree places popular file formats, docx, doc, sql, xls and so on in the folder which are often targeted by ransomware attacks as they are - usually -- personal or work related.
Cybereason researched more than 40 ransomware strains, including Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber and identified the behavioral patterns that distinguish ransomware from legitimate applications. Whether a criminal group or nation created the program, all ransomware functions the same way and encrypts as many files as possible. These programs can’t determine what files are important so they encrypt everything based on file extensions.
The Ransomfree process runs in the background, and monitors the folder and files for changes. It will block any process that modifies folders or files that it monitors.
So, the theory is that it can block ransomware from infecting "real" files on the system through the use of honeypots. If that is really the case depends largely on the ransomware and how it operates.
The guys over at Bleeping Computer tested the security program against a limited set of ransomware -- Locky, Cerber and Globe -- and the program managed to stop the attacks dead in their track.
CyberReason, the company that is behind for RansomFree states that the program protects against more than 40 different ransomware families including stand-alone ransomware programs as well as so-called file-less ransomware which uses vulnerabilities and legitimate Windows tools such as PowerShell to carry out attacks.
The program supports detection on local drives but also on network drives.
Cyberreason created a demonstration video that shows how RansomFree operates
Closing Words
Security companies left and right started to create anti-ransomware solutions to better protect PCs against ransomware threats. The methods they use differ and so does their effectiveness. It is best to complement anti-ransomware tools with other means including backup creation and resident security solutions such as a properly configured firewall.
“These programs can’t determine what files are important so they encrypt everything based on file extensions.”
I imagine that’s true, but I also imagine they could find important files based on many other factors, such as location, size, and system history info.
Also, if these programs just target file extensions, then I could just change my file extensions, such as from somedumbmovie.mkv to somedumbmovie.phrak..
This trick at least works for video as the file still plays in VLC and such. Regardless, I imagine most ransomware would not be fooled by this method, but IDK.
We’re using this software on our server to
detect and block ransomware.
The tool is freeware and available in german and english.
You’ll find it here. Needs .net 3.5
http://litschi.de/edv-service/software-2/ranosom
I am concerned it is regularly connecting to the internet. Why? Will it not work unless that is allowed? I have blocked it via my firewall.
Not a sufficiently well researched article on this new program to persuade us that it’s genuinely effective & safe compared to other options.
Doesn’t protect others drive then C:
Tested that and files on drive D: get encrypted.
I’m not seeing the “constantly connected” reported by clas.
Every ten minutes cybereasonservicehost.exe connects for a 4.5kb exchange to s3-1.amazonaws.com or an IP in Amazon’s 52.192.0.0/11 and 54.230.0.0/15 CIDRs. (Remote points may differ depending on user local.)
• My concern is Cybereason’s use of two unsigned Amazon libraries, AWSSDK.S3.dll and AWSSDK.Core.dll. And RestSharp.dll from the “RestSharp Community,” also unsigned.
Otherwise, a wait-and-see on my Win10 test box.
Looks promising if it can play well with others in a primary/layered schema (i.e. with Bitdefender Internet Security and WinPatrol WAR.)
Thanks Martin!
Forgot to mention: Cybereasons’ libraries are signed SHA-1 but FWIW Symantec.
hi martin. as much as i like the premise of this program, after reading its disclaimers, i find that it is constantly connected in real time to its own servers monitoring my computer. to me that seems like its a spyware itself…watching everything i do and recording it. so for now, until i learn more about it, i will stick with the standard stuff, always sandboxed and somewhat reasonable in what i do.
as always, thanks for the info. clas
Am I dreaming, or did my comment accidently [] vaporize? =l
Isn’t enough using Sandboxie and a firewall with HIPS?
Question :
how does it go exactly, with ‘sandboxie’ (haven’tused such b4) I just install i, then choose to run chrome/ff on it and it’ll basically provide me that desired safe environment?
Does it affect performance, at all??
I already got slowness issues due to old & low specs, can’t afford anymore slowness on my pc :l
thanks!
Other than that, i do use common sense as much as possible =)
Yes. It is enough with today’s technology. I’ve used Sandboxie on six computers for over five years. It has contained all forms of malware that was picked up unknowingly on the web and webmail. When it is locked up, a hard shutdown and restart brings back a clean system. I set Sandboxie to always delete the sandbox, and use ccleaner as a backup cleaner. Sandboxie is awesome, it just has to be used all the time. With the paid version I have Chrome and Opera sandbox automatically. Only Edge really can’t be fully Sandboxed.
This will work until the rasomware companies add the honeypot files to their exclude lists. Of course, they own copies of software like this.
Right, the question is, will they put in the effort to bypass this security program that is probably only going to get installed on thousands of PCs? I can see them doing this for widely spread software but probably not for something unless it becomes a hit.
I think a major point is the one the article starts with,
“The folder name at the very least seems to be randomized during creation, and this is probably also the case for the files that are placed inside the folders the program creates.”
From there on, cat and mouse will continue the battle.
At this time I’m relying on HitmanPro.Alert to keep the machine protected from cryptoware as well as other intruders.
Cross-fingers.
8200 Whoot! Whoot!!
P.S. Would you recommend all to use it Martin?
=]
I don’t think it is necessary if you have a proper security setup and use common sense. But your Uncle Jim, whose computer seems to get infected with ransomware every other week or so, he may benefit from it.
Sir,, your review is very dated. ransomfree not avail, Litschi- no english.. you seem to completely miss the detail that all ransomware must call home for the payload. firewalls seen able to stop the request unless given permission. these omissions cause all of you reviewers to look like promoter/shills. am I missing something??? a big problem is- the firewalls don’t supply the source info for the file.
thanks for your efforts.
On my machine I have SyncBackFree and it is set to backup myDocuments at 5 am every day. This program prevents that from happening as well as a manual back-up. I recommend BitDefender Anti-Ransomeware. I haven’t noticed if it has any other bad effects on other programs. I removed it and put BitDefender back in.