Which storry? - the topic is not about (me) someone crying for help, its about classification of a tool that claims to preemptively stop the thread.
Problem is - targeted phishing mails for HR personnel with macro virus that assembles the virus, drive-by downloads caused by ads and 0-days, ... you can not always blame it on the stupid user, not anymore. The time of click me and accept the runnas are sadly over mostly.
Th3Z0ne,
A co-worker collects all forms of Malware and keeps it on a locked USB and then runs them in a triple virtual environment. Anything in particular you're looking for?
Well just some crypt-locker (any - probably more recent is preferred), preferred in an encrypted non malicious state - so I can test RansomFree, and weather it realy can stop it.
Or maybe he is interested in testing https://ransomfree.cybereason.com/ so we do not need to send malware around in addition to whats already creeping through the internets?
So does anybody have a way to test this software?
I've read the full Q&A on their website to see how the tool works, and basically, it stops any program which is trying to encrypt something.
I've installed VeraCrypt en AXcrypt and tried to encrypt some files and folders with the expectation that I would be stopped by the program (RansomFree).
Except it didn't stop me, which makes me unsure about if it's working correctly.
So if anybody finds/knows a way to test this software, please let me know!
If you do not touch it's bounty/trap/honeypot files, that it spreads around the filesystem it won't be triggered.
It has hidden files all over the place, which it closely watches for changes.
Sadly without a cryptlocker in my possession at the moment I can not test it, despite the VM being ready
I'm gonna load this up on a VM and check it.
The reminds me @zoltan weren't you in the discussion about the bitlocker bypass on Windows a few weeks ago? Where you could get a CMD during the PE patching? I couldn't get in with either our encryption method nor with veracrypt.
It's triggered by W10 in-place upgrade, so you can't trigger it yourself, it only works if there is a patch pushed by MS.
When you know it's going to push because of the restart message, you can trigger it by clicking "restart system now", and then you Shift-F10 into the CMD that gives you system, thereby bypassing BitLocker. It didn't bypass Veracrypt though, so no luck bypassing cryptlockers, as they are obviously not based on BitLocker, or MS could unlock them (as proven by the concept of the in-place updates).
You can trigger it yourself by patching an unpatched workstation, which is how I tested it. So yeah, bitlocker vulnerability for the win. Thankfully we don't use it.
Well I mean its probably just a USB you plug in and it injects hit into ram while the OS boots up then it eats the ransomeware as it wake up and loads. Its probably some really simple rootkit shit.
The program? You install it on the workstation and it installs a bunch of files on the workstation that alert the software when they are attempted to be encrypted. The program then stops the service encrypting them, allegedly.
For instance. My whats changed application went crazy and didn't tell me all the registry changes or program changes it made so I don't have that information sadly, but the program only called home once in an hour and that was an update check, so it's not chatting home to do anything either. That makes vendor management a bit easier.
