Thread: "How to beat ransomwa prevent, don't react"
View Single Post
  #2  
Old November 1st 16, 07:29 PM posted to comp.sys.ibm.pc.hardware.storage
VanguardLH[_2_]
external usenet poster
  
Posts: 1,453
Default "How to beat ransomwa prevent, don't react"
Lynn McGuire wrote:

"How to beat ransomwa prevent, don't react"
https://blog.malwarebytes.com/101/20...nt-dont-react/

While anti-virus and even MalwareBytes' own Anti-Exploit is supposed to
help prevent crypto ransomware attacks, seems the obvious solution is to
get prompted whenever a process or thread wants to issue calls to the
Windows Crypto API. As with firewalls, you could Allow or Block
(permnantely or temporarily) a Crypto API call. If an unknown process
decided it wanted to encrypt something, you get prompted and can block
(disallow) the crypto call. I suspect that is the big crux of how
Malwarebytes' Anti-Ransomeware beta software works. Hopefully it
includes a database (also hashed to detect any modification) of known OS
processes to whitelist those. You can see more info in their forum at:

https://forums.malwarebytes.org/foru...nsomware-beta/

While it may be free now, it looks like they are planning to roll it
into their Anti-Malware product - their payware version of that. So
freeloaders, like me, wanting free security solutions will get to use it
while it is beta which helps MalwareBytes test their software and then
it will get yanked away when rolled into their flagship product
(Anti-Malware, payware version). Since their Anti-Malware freeware
product has no on-access (real-time) scanner, any anti-ransomware
function would be worthless in having to wait until the user gets around
to an on-demand (manually run) scan. So you would need their payware
version of MBAM to get their on-access scanner that would then include
coverage and heuristics for crypto-based malware.

While this sounds great (until their betaware gets rolled into their
payware), this focuses on crypto ransomware. I've seen some rogueware
that merely renames every file it can find (that is not locked) and then
set the Hidden file attribute on it. The malware could also change a
Windows policy that prevent access to a volume (other than for the OS).
Volumes can also be disabled thus preventing access. Users already know
how to do this using Disk Management (diskmgmt.msc) or the command-line
version of it (devcon.exe). Permissions can be changed. There are lots
of ways to block access to files than just encrypting them.

You might want to read the comments to the article mentioned by the OP,
along with reading the forum comments. Yes, it is beta but I won't be
installing this on my sole home PC. This is something for a test
platform. Also, I don't see the point of wasting time of what is
freeware now to only later yet yanked away by rolling it inside of their
payware.