I today discovered a new tool in the wild, it is called RansomFree and made by cybereason.com.
Here is an article by TheHackerNews.com in which they detail about the program and also have a demo video embeded.
What are your thoughts, could that be true and keep up in the arms race? I am doubtful as they can't be the only ones on the market that discovered magic ;)
Probably @wendell has heard of it and got an opinion too? - if we (the forum) conclude its a viable tool, I want to go forward and test it and than promote it to the folks I do IT assistance for.
It's a good idea, could be kind of annoying if it flags all encryption until the user says it's okay to continue. I was thinking you could run a program that just keeps all keys it finds in memory so you can unlock stuff if you get infected, but there's a lot wrong with that idea.
If you can just stop the system from communicating with the control server that will prevent encryption as it needs to exchange the keys. But that would rely on either being able to detect the traffic based on patterns or knowing the IP of the servers.
You can use a combination of known ransomware process signatures and high sudden disk usage. And create an anti-virus like ransomware detector. And stop it before all your stuff is encrypted.
That, despite also endangering all your legitimate operations - will be defeated by the common practice of ransomware to force reboot the machine and fake ckdisk.
Problem, who on earth will ever maintain a private white list?
And what if the program locally generates the key, encrypts and just than fails to transfer it? than not even money would get your data back... given the criminals stand their word.
So you think its a legitimate approach that could work and not just one more vapor ware?
Well yeah, but currently that's not how they work, if they can't connect to the control server they don't do anything.
It's something of an impossible task to block every bad IP, but blocking known bad hosts and things like the russian business network would go a long way to reducing your risk. Not to mention that you can look at the ransomeware and see what servers it tries to connect to so it shouldn't be that hard to maintain a list of known control servers.
Oh, that I was not aware of - curious, interesting approach
Guys seriously does this tool work? I need to know as I backed up family photos for my ex-fiancee when somehow her or my son downloaded something and it locked all sorts of files down with certain extensions. @wendell can you please chime in here on this? I don't want to install some sort of program that is sketchy and have it do more damage.
I agree, there is a lot of vapor whare around! But it can be a step in the complete solution.
I checked their website. It doesn't decrypt stuff, so you should find another tool for that.
Quote from their website:
If you are a victim of a ransomware, and your files are currently encrypted, our advice for you is to contact the authorities to determine next steps. RansomFree is designed to protect against ransomware infection. It is not able to decrypt files that have already been encrypted by ransomware.
would be nice if it installed its own ransom instead, and if one exists already replace it with new one.
The Setup routine at least is not suspicious at virus total - so at least itself isn't a known virus XD
The tool here does NOT work after the fact! It claims to prevent an encryption from happening.
You should open a new thread with much more info about what struck your data - did you get a ransom notice, what kind of extension is it, which machine is infected, what have you done to stop it from spreading ....
I have a VM now, still searching for a live copy of a ransomware though - all samples I had on the mailserver I recently removed - so I have non currently.
Oh nice, let me (us) know how it goes. Looking forward to your findings!
Os boot drive with separate data in triple redundancy . Not adding another piece of dodgy resources hog.
Well so far what I see, it is placing bait files all over the system and monitors them. So if they get touched it stops the process that's doing that and alerts you.
I totally get you - but I do not want it primarily for myself, its more for the "we do not know what we are doing" type of users (friends) I support (unpaid) XD
It would be nice if it did what they said. I am not willing to test that one :) Plus bait files seems a bit of a waste ? How about just straight up alerting the user and stopping any/all attempts to encrypt anything. Just a stupid question ?
How do you detect a encryption operation reliably except for a file being changed that should not be changed?
I guess that would be the biggest question ? How would you detect an encryption process ? All, i have is resource usage. You would think that encryption as a whole has some unique processes that signify the process type ? Not a computer scientist just something to ask.
I think, without knowing the inner workings of encryption enough, that the bait files are the most reliable way - system load, you can not block everything that loads your system, disk access - you can not block everything that's using your storage, watching the memory - how to determine what is a encryption key, and if so how to say if its malicious or not?
I think moral of the story is, have reliable backups, and check internet for decryption key as last resort.
Oh, and don't click on shady download links.