RansomOff - program do walki z ransomware
#1
Nieco ponad miesiąc temu pokazał się nowy program do walki ze szkodnikami ransomware - nazywa się RansomOff, a bazuje na niesygnaturowej technologii 

[Aby zobaczyć linki, zarejestruj się tutaj]

rozwijanej przez firmę

[Aby zobaczyć linki, zarejestruj się tutaj]

. Bazując na informacjach ze strony programu oraz wątkach na MT i WF można jego funkcje określić tak:
- bazuje na mechanizmie behawioralnym i nie wymaga do działania żadnych sygnatur
- jest w stanie wykrywać wiele rodzin ransomów
- chroni MBR, ale tylko fizycznego urządzenia (nie partycji)
- posada funkcję odzyskiwania plików
Dwa cytaty na temat działania
Cytat:RansomOff does not use signatures so it is agnostic to ransomware families or variants. Packing and other code obfuscation has no impact on RansomOff's detection. It's strictly behavior based. Thanks to folks like

[Aby zobaczyć linki, zarejestruj się tutaj]

and others over at malwaretips, we've been refining the detection heuristics to make sure it provides as complete coverage as possible. Admittedly it does throw false positives every now and again, as seen with SeaMonkey in

[Aby zobaczyć linki, zarejestruj się tutaj]

's latest video but that's a small price to pay if it blocks actual ransomware. And that's part of the reason we built in an exemption list to handle those situations.

We don't have a list of every family and variant it can block but it is highly effective against a wide range of families. It did very well with Evjl Rain's initial test over at malwaretips and the issues identified with that have since been fixed.

[Aby zobaczyć linki, zarejestruj się tutaj]

threw some awesome samples at it and again, we've been refining to make sure our heuristics cover these behaviors. We'll be releasing a new build later tonight that fixes script based attack such as RAA which failed in that test.

[Aby zobaczyć linki, zarejestruj się tutaj]


Cytat:) Correct. MBR protection right now is per drive not per partition so multi partition drives are not fully covered.
2) There is file restoration but let me explain a bit how it works. It is not system wide. Every change to every file from every process is not restorable. Instead RansomOff, through its detection heuristics, decides if a file should be saved before a change is made. Right now, only processes that have thrown an alert (i.e. ransomware) will have any files that were modified restored. If a process did not cause an alert and closes, the cache of files associated with that process are purged. The default setting is to do the restoration automatically however it can be changed to manual. That is why, when you goto the Restore form in the UI, you likely won't see any processes or files listed. That's because a) no ransomware was detected, b) no files were actually modified by the ransomware, or c) the files have already been restored and cleared from the cache. You can see a record of the cleanup and restoration in the Alerts (must click 'View All Sessions' checkbox to view cleanup messages). So file restoration is there but done differently than other solutions in order to allow RansomOff to be as efficient as possible without using a lot of system resources.
3) Latest build from today (5.2017.99.6252) adds confirmation message.

[Aby zobaczyć linki, zarejestruj się tutaj]


I dwa screeny z wątku na MT
[Obrazek: proxy.php?image=https%3A%2F%2Fwww.ransom...e8a60eff75]

[Obrazek: proxy.php?image=https%3A%2F%2Fwww.ransom...e3b9538a93]

Lista zmian do wszystkich wersji
Cytat:

[Aby zobaczyć linki, zarejestruj się tutaj]

  • [Aby zobaczyć linki, zarejestruj się tutaj]

  • [Aby zobaczyć linki, zarejestruj się tutaj]

  • [Aby zobaczyć linki, zarejestruj się tutaj]

  • [Aby zobaczyć linki, zarejestruj się tutaj]

RansomOff Change Log
5.2017.119.4637 (Beta) - 29 Apr 2017
  • Updated process interaction heuristics and rules.
  • Added setup step to manually add existing security software for exemption.
  • Added additional notification and logging messages.
  • Minor UI changes and fixes.
5.2017.116.7686 (Beta) - 26 Apr 2017
  • General bug fixes.
5.2017.116.6374 (Beta) - 26 Apr 2017
  • File restore expanded to cover all processes with a variety of ways to restore modified files.
  • Added additional file backup and restore options for increased control.
  • Added ability to disable file backup.
  • Automatically identifies and adds anti-virus exemption.
  • Notifications on common Windows start-up area changes.
5.2017.107.8077 (Beta) - 17 Apr 2017
  • Automatic updating.
  • Added WMI and scheduled task tracking for improved process termination and cleanup.
  • Added undelete functionality to restore files deleted by RansomOff.
5.2017.105.5336 (Beta) - 14 Apr 2017
  • Fix numerous performance and stability issues.
5.2017.102.8559 (Beta) - 12 Apr 2017
  • Improved compatibility with existing programs.
  • Modified main UI with color coded protection status.
  • Added ability to disable ransomware protection.
  • Improved installer to prevent possible registry corruption that could lead to BSOD loop.
  • Changed all build times to UTC.
  • General bug fixes.
5.2017.101.7020 (Beta) - 11 Apr 2017
  • Modified installer to include better error checking and more robust restore point creation.
  • Improved false positive detection.
  • Fixed startup UI hang issue.
  • General bug fixes.
5.2017.99.6252 (Beta) - 9 Apr 2017
  • Modified installation bootstrapper to display message if minimum .NET version is not installed.
  • Improved heuristics to prevent false positives.
  • Added 'Allow' confirmation second-chance to prevent inadvertant ransomware continuation.
  • Expanded process propagation detection.
  • Added additional system processes to protect against code injection.
  • General bug fixes.

[Aby zobaczyć linki, zarejestruj się tutaj]


Strona programu

[Aby zobaczyć linki, zarejestruj się tutaj]

"Bezpieczeństwo jest podróżą, a nie celem samym w sobie - to nie jest problem, który można rozwiązać raz na zawsze"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"
Odpowiedz
#2
No i jak w praktyce ?
Odpowiedz
#3
ZAinteresowałem się bo ma HIPSa i wyszli z bety.

Dopiero parę godzin na pokładzie. Nie wiem czy grzebać w ustawieniach czy zostawić.

edit

konflikty z Shadow Defenderem 1.4 zmusiły mnie do odinstalowania R-Off, a szkoda.
Odpowiedz


Skocz do:


Użytkownicy przeglądający ten wątek: 1 gości