Ransomware software

pnamajck

Honorable Member
thanks for the post, bassfisher … tried installing ransomfree's *.msi file last night … wouldn't take. something to the effect "setup wizard ended prematurely". i have, since, contacted their team and am waiting due response.

to enlighten other netizens coming along … i have tried the following methods:
reboot(s)
normal install-method (as admin)
elevated command-prompt (ext-admin)
[msiexec /i]
[msiexec /a]
compatibility-mode
lowering uac (user-account-control) level (2/4)
disabling avg-antivirus (temporarily)
safe-mode
moving file from e: to c: (boot-drive).​
and my environment is:
win-10 … 64-bit … intel-cpu
space req'd for install: 100mb … space available: 8.3gb … local machine (no network)
log in as administrator
.net framework 4.6 and no java or c run-time packages.​

there is talk, on the internet, about shutting down certain microsoft software/services (via command-line) … the thought behind this would be that some switches are in "engaged" mode … and the conflict might be why the msi-file is not seen by microsoft's installer utility. needless to say, i had not attempted this approach.

aside from that … nowhere does cybereason.com state 32/64bit architecture … or if the program is dependent upon java support.

so … continuing forward, just waiting for some relevancy from their team … will r.s.v.p. as time permits.

Image11 (premiere).png
 
Last edited:

Neemobeer

Windows Forum Team
Staff member
Is it triggering the UAC prompt?

The only manifest entries I see are "asInvoker", but if it needs admin rights then you will need to install it from an elevated command prompt.

strings CybereasonRansomFree.msi | grep requestedExecution
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
 

pnamajck

Honorable Member
thanks for your intervention, neemobeer … rather than any further deflection, i decided to let the good boys at cybereason.com work out the kinks in their software … might try it again this spring. keep the faith.

p.s. however, in answer to your question … yes, the install attempt did trigger a prompt for uac … consequently, temporarily lowering the uac had been my own doing. and my intent definitely is not to circumvent uac … it's been designed, by microsoft, to safeguard us. and installing from elev-cmd line had no effect.
 

BIGBEARJEDI

Fantastic Member
Premium Supporter
Thanks for posting Bass. Looks like it's worth testing out. Has anyone thrown an actual Ransomware virus at this program yet I wonder?
I'll have to setup on one of my W10 test machines and try throwing something like NEMUCOD or CRYPTOLOCKER at it and see how it responds. I do have the Nemucod virus executable, but not any of the nasty strains of Cryptolocker. There are numerous strains, about 4 or 5 posted on various sites including Emsisoft, that are not decryptable and if you get one of these puppies there is no antidote; at least at the present time. Hopefully, I don't run across any Clients with these strains of the Cryptolocker, but if I do and I can capture one in the wild, and quarantine it I can run it against the Ransomfree program and see how good their detection is. I'd also be worried about it getting loose on my LAN or getting into my Router. There are mentions of Cryptolocker variants which operate this way as well. Hackers today know all too well that most folks run a LAN or a wireless LAN, and if they get into 1 computer on the LAN, even if a program such as this Ransomfree is protecting that computer, if you don't have it or a similar anti-ransomware program on ALL other computers, even if Ransomfree blocked the virus from encrypting that PC, it might get loose on one of the other unprotected PCs or of course the router.

I think several of us here would like to find a program that we can deploy on Customer machines (as well as our personal machines), that could stand up to this highly-virulent strain of recent Ransomware. On machines that I repair or install for Clients, I've been using RUBotted from TrendMicro.com which does a pretty good job. None of the 200+ computers I have touched belonging to my Clients running this little background program have gotten hit by the Ransomware nasties. That's because this program detects and blocks Ransomware by blocking out Rootkits and Bootkits, which many of the Ransomware viruses like to use as their infection vector. Problem is, that several of my Clients like to uninstall this program because when they are attempting to do self-maintenance or even use a safe cleanup program such as CCleaner, have been caught by me uninstalling them when I work on their PCs subsequently.:shocked: Even my top Clients don't seem to think it's a big deal to remove certain programs they don't think are being used or needed; they don't recognize the name (RUBotted) or the company name, TrendMicro, and they think it's ok to remove it. Even after explaining that this could be the 1 program that could save them from one of these super nasty Ransomware viruses, I have Clients who still continue to remove it after being told not too 2 or even 3 times by me.:headache:

This will probably be the same issue with deploying this new program, Ransomfree. If the Customer hasn't heard of it, they may try and remove it. I always tell my Clients the same thing: "...if you don't know what it is, DON'T REMOVE IT WITHOUT CALLING ME FIRST!!"

Best,:nerdie:
<<<BIGBEARJEDI>>>
 

pnamajck

Honorable Member
just an update as promised … cybereason has already issued a fix (ver 2.1.1.0) for the previously errant *.msi file … however, my thoughts are that i should wait another week or so … perhaps other bugs/quirks will surface.

bigbearjedi … actually, it seems our friendly patrons at bleepingcomputer.com have already tested out the software … claiming to have launched locky (osiris variant), cerber, and globe ransomware at it.

anyway … here's youtube video from cybereason:

in case you're interested, bigbearjedi … the good folks at cybereason have a "message board" of sorts:

couple other points worth mentioning …
● according to one video … there is a one-hour "pause" function built into the software, which seems to actually pause the ransomware from doing add'l damage … while the operator affirms whether the suspect file is good or bad.
● in it's inherent design … the developers had researched thousands of ransomware strains … and they came up with a formula which, supposedly, complements the sentry's effectivity. then again … this may be just a marketing ploy.​

ref:
Cybereason RansomFree.msi (ver 2.1.1.0)
RansomFree Is the Latest App That Tries to Stop Ransomware Infections on Windows

p.s.
i would have interrupted by pleading with people to retain their "encrypted" files for future remediation … but bigbearjedi already has promoted that fact … and thanks.
 
Last edited:

BIGBEARJEDI

Fantastic Member
Premium Supporter
Cool beans, Jack! Another great post--I'll check out those links you gave over the holidays and look into it further. It sounds rather promising. I volunteer over at bleeping computer too from time-to-time. That's good to know that they are doing solid testing by throwing In-the-Wild viruses at their product. I'm looking forward to adding it into my list of projects for 2017!
Right now I'm working with brkkab on the Folding @Home project.

I've also got some colleagues in my local Computer Club who might be willing to help me do some testing as well on the program.

Well, off to get some much needed sleep--zzz!

Talk to you soon.
Enjoy your Holiday!:teeth:
<<<BBJ>>>
 

pnamajck

Honorable Member
a'ight … have downloaded ransomfree (version 2.1.1.0) … and this version proved to be a successful install. as of this moment … my computer had no ransomware infection and remains clean.

installation as follows:
environment:
win-10au (1607-14393.576) 64bit
cybereasonransomfree.msi (2.1.1.0)
windows-defender (auto-disabled)
avg (16.131.7924)
malwarebytes-antimalware (2.2.1.1043)
protocol:
default admin login
not installed via compatibility protocol.
did not "install_as_admin"
did not "run_as_admin"
method:
it's important to note … this first successful install had been initiated after lowering uac-level to level-2. uac-interface showing process "3e1a9e.msi" during install. of course, i raised the uac-level back up to default level-3 afterward.

however, the majority of users probably will install using windows default uac parameters (level-3) … so, i decided to uninstall and then re-install using the above protocol.

uac-interface showing process "3e1aa1.msi" when uninstalling … i did not taskmgr/endprocess before uninstalling … i went straight to add/remove … chose the uninstall option.

uac-interface showing process "b48ac.msi" upon successful reinstall.

the install was smooth … the process sits silently in the background (system-tray) … one checks for updates same as the other sentries.

that's it, boys … the earlier posts contained any pertinent links.
 

pnamajck

Honorable Member
hey there, hermitkrab … nice to hear your install went without a hitch. from what i've seen so far, and this appeared true to form, ransomfree will pop up a small window … informing the operator a new release is available for install. from there, simply go to their website … download … install. btw … nice having you on-board, hermitkrab.
 

pnamajck

Honorable Member
just wanted to share this video with everyone using or considering ransomfree … compliments of cybereason.com … as sobering as it is entertaining. [watch how the hospital's soc(security operations central) turns a data-virus epidemic into mincemeat.]

 
Top