Tuesday, 20 December 2016

New RansomWare software (Cybereason RansomFree) - but there is a catch which you may not like!

This new free Cybereason RansomFree software detects ransomware using the 'honeypot' technique.

It seems to create new folders that begin with { or ~{ and other strange characters, and then fills those folders with various  'tempting' .doc,  .txt, .rtf, .xls etc. files. It then monitors them for changes and will allow you to kill any task that attempts to makes any changes to any those files.

A nice touch (or weakness?) is that the honeypot files that it creates are mostly hidden from the normal user when using Windows Explorer to view your folders.

The honeypot theory assumes that any ransomware will scan the drive and find these files before it finds your important files and then the RansomFree software will be able to warn you before too much harm is done. It did not seem to place any honeypot files on any other volume in my system however, so it seems to be only monitoring the C: drive.

See YouTube video here.

It has been tested and reviewed by Bleeping Computers also.

But here's the catch...


Note that the RansomFree software will upload any suspect file to their servers so that they can analyse the executable further. I could not find an option to disable this, so I am not sure how comfortable some people will feel when using this software. I don't know if it asks you first or not, but it is not mentioned on their site or in the video or by Bleeping Computers, if they do.

From their Q&A page...

Cybereason collects anonymous statistics to help improve RansomFree. For example, when ransomware is detected, RansomFree will automatically upload the file to our secured servers for the purpose of further research by Cybereason Labs. Using this information, Cybereason will continue developing RansomFree with new and improved detection methods.
The honeypot is a good idea, but I think I would be happier if I was able to choose more volumes for it to monitor (although it does apparently monitor high-CPU encryption usage?). Also, as the honeypot folders that it creates all seem to have strange, randomly-generated names (e.g. beginning with $ or ! or { or ~, etc. and which are not 'Explorable' by the normal user in Windows Explorer). I would also be happier if some of the folders it created had more normal random alphanumeric names such as 'ahdfg9', so that any future ransomware could not simply skip these strangely named files which are rather obviously honeypot files.

The names obviously need to be different (random) on each computer, in order to prevent malware coders from checking for specific names.

If I was a scumbag ransomware coder, my first target would be %UserProfile%\Documents and folders below, plus about 10 other locations first, before I looked at all the rest of the files in the system, and I would avoid encrypting any folder names or filenames that included non-standard or illegal characters. After than, I would start encrypting all the folders/files that I had previously skipped (e.g. only encrypt files that had the strange characters in their name on a 2nd pass). But perhaps any code which could do this may be more recognisable as a virus or maybe it is too complicated for the average bandit to code. As I am not a malware coder or security expert, I don't have enough experience in these matters to offer a knowledgeable opinion.

It seems that we will always be playing a game of catch up and leapfrog with malware coders though.