PC World recently published an article on a new software that is claiming to block ransomware, RansomFree. RansomFree is a behavioral analysis software that runs in the background of your PC by collecting data on what is considered normal behavior and what is considered not. If any red flags arise, the software will stop the execution and give the user the ability to either override the alert and continue with what they were doing, or ask RansomFree to permanently quarantine the application as malicious.
PC Matic’s malware researcher and product manager, Devin Bergin, tested the software. It should be known that it indeed blocked 100% of his ransomware samples. That being said, there are two major issues with this security solution.
First, RansomFree does not do any testing for you to determine if the application is safe. Once it is deemed malicious by the user, there is no further testing. This could scare users to be a bit careless, which could cause the user to override the alerts because they don’t want their application to forever be known as malicious.
Second, this solution implements the use of decoy files as a means of protection against file encryption. This sounds like a good idea, until we dig a bit deeper. A risk included with using decoy files means you may end up with a few files being encrypted before the behavioral analysis detects an issue and is able to stop it. Theoretically this shouldn’t be an issue, because the ransomware will be encrypting the decoy files, not legitimate ones. However, a risk, as pointed out by BleepingComputer, is that these decoy files are named with either ! or ~ at the beginning of the file name. This will bump these files to the top of the list which would typically cause the ransomware to encrypt them first. However, with the advancements in ransomware, it is not difficult for the cyber criminals to create a different methodology to target alternative files first.
Now, let’s compare RansomFree to PC Matic. PC Matic, too, blocked 100% of the ransomware samples. However, that is to be expected, because they are our samples. That being said, PC Matic did block 100% of the ransomware samples when tested by AV Comparatives.
PC Matic also includes an advanced mode that allows users to make decisions on unknown files without waiting for classification by our malware team, although we don’t recommend using it all the time. If users choose not to add the application to their whitelist, the PC Matic malware research team will test and categorize these applications within 24 hours of attempted execution. By allowing for the malware research team to do appropriate testing, there is no risk of a trusted application being permanently quarantined as malicious, like with the use of RansomFree.
Overall, both security solutions have the same end result. Ransomware is blocked. Although, as ransomware developers change their encryption tactics, RansomFree may catch less ransomware before encryption, while PC Matic will still block the unknown right away with our whitelist technology.
Also, RansomFree puts the determination of “trusted” versus “untrusted” applications into the hands of the PC user, while PC Matic leaves it to the professionals. This is concerning, because it simply takes one wrong override and you’re inviting ransomware into your system. Is that a responsibility you want?