Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RansomFree Questions - Bait Files and MBR


  • Please log in to reply
5 replies to this topic

#1 F1Help

F1Help

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:01:39 PM

Posted 09 February 2018 - 12:03 PM

Hi,

Regarding RansomFree, could you please advise:

1) How many bait files are typically placed?

2) Will bait files clutter up a hard drive?

3) Are bait files added to external storage devices?

4) Are bait files removed when RansomFree is uninstalled?

5) Is MBR (Master Boot Record) protection present?

Thanks.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:39 AM

Posted 09 February 2018 - 03:26 PM

Cybereason RansomFree is a program which deliberately creates hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.

This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.

Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!

Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
 
2q9jm7a.jpg
2mqw50l.jpg
fuugba.jpg
 
If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.

RansomFree also deploys a “Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 F1Help

F1Help
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:01:39 PM

Posted 10 February 2018 - 10:05 AM

Thanks for your helpful reply.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:39 AM

Posted 10 February 2018 - 01:16 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 HMonk

HMonk

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 09 April 2018 - 10:32 PM

@quietman7

For a couple of days I deleted these odd directories/files, redeleted them, deleted programs with questionable running processes, and on and on. Today I came across this thread.

Thank you, thank you, thank you.

Quietman: reminds me of John Wayne and Maureen O’Hara.

Monk

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:39 AM

Posted 10 April 2018 - 06:03 AM

You're welcome.

...Quietman: reminds me of John Wayne and Maureen O’Hara.

That is where I got my user name from...it is one of my all time favorite movies.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users