Wednesday, September 20, 2017

RansomFree

As you'll probably guess from the name, RansomFree is an entirely free anti-ransomware tool from the enterprise security company Cybereason. Not ‘free for personal use’, not a cut-down version of something else, just a no-strings free tool that anyone can use.

RansomFree works largely by deploying and monitoring 'bait files', test folders and documents which it adds to all your drives: fixed, removable and network. These are positioned so that ransomware should encrypt them first, and if that happens, RansomFree kills the offending process and alerts you to the danger.

The big advantage of this approach is that if you are infected by ransomware, it will waste its time infecting RansomFree's garbage files, rather than any of yours. Ideally you won't lose any data at all.

As the detection is based on behaviour, rather than signatures, it should also pick up even brand new and undiscovered threats.

Ransomware can try to bypass this approach by looking for bait files, but even if it ignores them, RansomFree has other detection technologies in reserve. Put it all together and Cybereason claims the program blocks "99% of ransomware strains", and if true, that's impressive – especially for a completely free product. Run it alongside a good antivirus tool to protect you against the other 1%, and in theory you'll be very safe.

Setup

RansomFree is quick and easy to install. There's no registration required, it's a tiny download, and there are no complicated options. The program sets itself up in seconds, displays a brief 'Protection enabled' notification and disappears to your system tray.

Even if you go looking for an interface, there's very little to find. Right-clicking the system tray icon gives you options to pause protection, check for updates, display help and an About dialog, but there's barely anything else. RansomFree is probably the definition of 'set and forget'.

This simplicity is reflected in the program's hard drive footprint, with just 14 files taking 5MB of space on our test PC.

RansomFree's memory usage is a little more noticeable, its two processes grabbing at least 50MB RAM. Not a huge amount, but AppCheck anti-ransomware needs less than 10MB.

There's also a little extra file system clutter, thanks to RansomFree's bait files. Our test system gained a couple of folders, 'C:\CValues84' and 'C:\Xupdate251', which contained around 3MB of sample images and documents. It's not a big deal and you soon learn to ignore them, but this approach does have some risks. If you ever delete these folders, perhaps because you forget what they're for, RansomFree's protection will be weakened.

Inspecting RansomFree's executable files showed some were digitally signed, but there were multiple unsigned DLLs to support particular functions (the Amazon Web Services SDK, for instance). Although that doesn't necessarily lead to any problems, we've found tools that use components from several sources are more likely to be vulnerable to attack.

Sure enough, we found that RansomFree could be compromised by malware. An attacker could close its processes, delete RansomFree's files and leave you entirely unprotected. Unless you checked the system tray and noticed the missing icon, you wouldn't realize anything had changed.

This isn't necessarily a critical error. Most ransomware isn't going to specifically target RansomFree, as it's not widely used, and forcibly closing a running program might attract the attention of antivirus programs. But it's still a vulnerability that most anti-ransomware apps don't share.

In day-to-day use, at least, RansomFree didn't cause us any problems. It didn't affect our antivirus or get in the way of legitimate programs, and we were able to run our regular applications as normal.

Performance

Testing anti-ransomware apps is difficult, especially in a single review. Their value comes in the claimed ability to block brand new ransomware, but you can't assess this without a large supply of undiscovered threats.

It's still possible to get a basic idea of any program's abilities by testing it against a known ransomware strain, of course. We introduced the very dangerous Cerber to a RansomFree-protected system, and after a delay, an alert warned us of the danger. This listed affected files, provided a default option to stop and 'clean the threat', and – unusually – a second option which would allow the process to run.

Allowing users to make such critical security decisions usually isn't a good idea, especially if they're novices – there's always a chance they'll panic and click the wrong button. But if you're the only user, and know what you're doing, you'll probably appreciate the flexibility.

We chose the 'Stop and Clean' option and RansomFree killed the process. It didn't delete the malicious file, so in a real-world attack we would need to run an antivirus to find and clean up any other dangers. But at least the ransomware wasn't able to touch our data.

Our next step requires checking anti-ransomware apps against a couple of test programs, KnowBe4's RanSim, and our own RanTest. These simulate ransomware activity by encrypting sample files, and enable us to see whether an application can detect suspect behaviour from an unknown source.

The initial results weren't good. RanTest successfully encrypted thousands of test files without being blocked, and RanSim reported our system was vulnerable to eight out of ten attack types.

We updated RanTest to attack RansomFree's bait files instead of its own, just to see what would happen, and it made all the difference. The warning dialog appeared, we were able to forcibly close RanTest with a click, and no data was lost.

These results need to be treated cautiously. RanSim and RanTest aren't real ransomware and don't touch our own files, so failing to detect them doesn't necessarily indicate a major problem.

It does seem that a threat which can spot RansomFree's bait files might be able to encrypt some, or maybe all your data. That's only a theoretical risk, though, and we've no idea how likely it might be. What we can say for sure, right now, is that RansomFree blocked an existing threat without difficulty, and there's no doubt that the program adds a useful extra layer of security to your PC.

Final verdict

RansomFree blocks conventional threats well, and installing it will make you safer. But the program isn't bulletproof, and could be vulnerable to smarter malware that can avoid its bait files or disable its code.

0 comments:

Post a Comment

!!!!!!!!!!

Popular Posts

Categories

Blog Archive