RansomOff Documentation Latest version: 5.2017.214.6672 (RC1)

RansomOff is a free, signature-less, endpoint security solution designed to do one thing; stop ransomware dead in its tracks.

RansomOff protects your files on local drives, removable devices and networks shares and even protects your Master Boot Record (MBR) from malicious overwrites.

RansomOff uses a layered approach for protection with both active and passive measures. First, RansomOff has its own file back and restore capability. This ensures that if a piece of ransomware is able to bypass RansomOff's other detection methods, you'll likely be able to get your files back. Second, RansomOff automatically judges a program's risk based on numerous factors and then applies the appropriate protection strategy to catch any possible ransomware-like behavior. Third, RansomOff protects critical system processes from malicious tampering to ensure that the integrity of your system remains intact.

RansomOff is fast, lightweight and effective at stopping all major ransomware families. And if ransomware is detected, RansomOff will even clean up your system for you to remove all file and registry artifacts that may have been dropped.

The main RansomOff window is designed to give quick information on the various components and overall status of RansomOff.

When the form is predominantly green, that means all components are loaded and the ransomware protection is enabled.

If certain components are not loaded or if you disable certain features, then the form will turn yellow.

When the form is red, that means that the ransomware protection is turned off and you will not be protected from ransomware attacks.

In addition to the color changes, various messages are also available that describes the current status. Besides the large protection focused message, when RansomOff auto-updates itself a small message will appear in the lower right corner stating that RansomOff has updated and that the system needs to be restarted.

From the main window, you have quick access to toggle on or off various protection options by simply clicking the link on the main window that says 'Set Protection Status.' These can also be configured through the task tray menu by right clicking on the RansomOff icon.

  • Ransomware: All of the various anti-ransomware heuristics are tied to this setting. If disabled, then RansomOff is not protecting your system against ransomware.
  • MBR: Master Boot Record protection can be enabled or disabled however it requires a reboot to take effect. This is because of how upper disk filters and the disk stack are designed in Windows.
  • Policy Enforcement: RansomOff enforces its own protection policy to prevent runtime tampering and abuse of Windows processes. Similar in concept to behavior blocking but narrowly applied to system processes.
  • Backup and Restore: If enabled, files that have been modified are automatically backed up. If RansomOff detects ransomware and performs a cleanup, it will attempt to restore any files modified by the ransomware. If this setting is disabled, then files are not backed up or restored.
  • Folder Protections: Additional protections can be applied against specific folders. If enabled, the protections are applied. If disabled, they are not.

One thing to note about the protections is that folder defenses and policy enforcement is tied to the overall ransomware protection. If you turn off ransomware protection, then those two other protections also will turn off. But you can toggle either one of those protections without impacting the overall ransomware protection.

RansomOff is designed to only be run at Windows start up. Once you close RansomOff, the only stable way to restart it is via a reboot. Restarting it through Windows Services can lead to undefined behaviors.

There are two aspects to RansomOff alerts. There is the actual alert message you receive when ransomware activity is detected and then there is the alert logging that saves information about all detected and user initiated activity.

You can open the alert log from the main window or through the right-click menu from the task bar icon. Once open, you'll see a top pane that will contain icons with a short text describing when the alert was recorded. An icon that is an envelope with a yellow star means that that particular alert message has not been read yet. An radar style icon indicates that the alert message is informational. It can be a standalone message or can be associated with a malicious alert message as indicated by a skull and crossbones icon.

Click on any of these icons will show the actual message details in the text box below the icon pane. This allows you to see what was detected, what action was selected and any cleanup and restoration activities performed by RansomOff. If the message type relates to a Windows start up change, then a button will appear at the button right corner that will allow you to easily delete that modification if it is not legitimate.

When ransomware activity is actually detected, then an alert popup will be displayed.

As an added layer of protection, RansomOff provides you the ability to control what programs run on your system. To enable or disable the App Lockdown protection, either click the 'Lockdown' button on the main form or select the 'App Lockdown' item from the task bar menu.

There are a few ways that process filtering can occur. The include:

  • All processes: Every process that runs will have a notification shown unless the process has already been exempted.
  • New process execution: RansomOff keeps a log of all processes run during a session. If a process has not already executed then RansomOff will show a notification. This log is cleared on reboot.
  • Exempt Windows processes: This option applies to the two filter options above. If selected, all Microsoft signed executables will be automatically exempted and no notification will be shown. However, the various Microsoft scripting tools such as PowerShell will still cause a notification.
  • Exempt signed Program Files: Similar to the Windows option, when selected any signed process located in the Program Files directories will be automatically exempted.
  • All unsigned processes: Any process that is unsigned, unless previous exempted, will cause a notification to be shown.

App Lockdown can be auto-started based on a process trigger or after a set period of time past login. Process triggers can be added by clicking 'Set Processes' then simply adding the process you want to act as a trigger. When that program runs, App Lockdown will automatically enable if disabled. App Lockdown can also be automatically turned off when the set processes exit. If the option is checked, when all auto-trigger processes close, App Lockdown will turn off.

Notifications are shown in the lower right corner of the screen. They allow you to allow the process to continue executing or to deny it which cause it to close immediately. You also have the option to remember the choice you made. If the checkbox is checked, then an allow or block exemption will be added and evaluated next time that process is run.

The exemptions can be found on the 'Exemptions' form which is accessed from the main form or through the task tray menu. You can remove existing exemptions or change their status from Allow to Block or vice versa.

It's important to note that the lockdown settings do not persist through a reboot.

It's an unfortunate fact that all software may impact other software in inadvertent ways. Therefore, RansomOff provides an exemption capability to make sure RansomOff does not interfere with that process. As a piece of security software, other security software are the most likely to experience interference therefore RansomOff will automatically look for installed security software and exempt them for you. This automatic searching is done via WMI so the security software needs to be registered with Windows for RansomOff to find it. If other security software is not in your exemption list automatically, then you'll need to add it manually.

RansomOff maintains a block list of all software detected and confirmed as ransomware. If the same file tries to execute again, RansomOff will automatically stop it. Files can only be removed by the user from the block list once added by RansomOff. The user cannot add files themselves.

You can also exempt folders so that RansomOff's file backup capability will not backup files from those directories. This is to prevent unnecessary backups of files that you may already backup with another solution. Exempting backup folders is mainly a performance tweak designed to reduce processing load and save disk space.

RansomOff has its own file backup and restore capability. This is designed to be a last line of defense in case RansomOff's other detection heuristics fail. RansomOff will make a copy of a file based on certain actions and save it away in protected space in case the user wants to restore it at a later time.

There are a few different modes of operation for the restoration. First, depending on the options, if RansomOff detects ransomware activity and the user confirms it then RansomOff will either automatically restore any files modified by the offending process or just notify the user that there are files available to restore. If the options are set for manual restore then the 'Detected Restore' tab will contain a list of the detected processes in a drop down combo box. When a process is selected, the list box will fill with the available files that can be restored. If a file is selected, some basic information about the file is displayed in the text box to the right of the file listing. Files can be restored individually or in bulk or they can be deleted individually or in bulk if its determined that they are not needed.

A second method of restoring files entails identifying the currently running process that made changes that need restored and then selecting any additional options. Performing a restore in this manner can be useful if the ransomware was not caught by RansomOff but is still running with its ransom screen still showing.

Finally, files can be searched to find a particular file that needs to be restored. If found, that file can be restored individually or all files modified by that same process can be restored as well. This method of restoration is useful if the ransomware process is no longer running and you know at least part name of at least one file that was modified that needs to be restored.

In addition to the restoration capability, RansomOff also contains a fail safe method to undelete files that may have been inadvertently deleted by RansomOff due to misidentification issues. The undelete capability can also be useful if a ransomware artifact is wanted for further evaluation after it was deleted. It works similar to the restore by name capability where you can search for the file that was deleted.

RansomOff has the ability to provide additional protections to specific folders. These protections apply to all processes except for any that are exempted. The four additional protections that can be added are:

  • Deny: All access to the folder will be denied. Non-exempt processes cannot list the files, create new or open existing files.
  • Deceive: The added folders will appear empty to all non-exempt processes. Even if a file name is known, that file cannot be opened. New files and folders can be created in the directory but will not be visible or accessible.
  • Hide: The added folders will be hidden from all non-exempt processes. File operations can still occur within a hidden directory if the existing files are known.
  • Read Only: The added folders will be read only to all non-exempt processes. This means files can be opened but cannot be written to or deleted. New files and folders also cannot be created.

A folder can only be added to one of these four protection categories at a time. However, the same exempted process can be used over again. A folder must have at least 1 exempted process before the protection takes effect. Non-system root folders can be added to all protections except for 'Hide.' Identification is based on drive letter so if you remove your device and after it is reinserted gets a new drive letter the protections will not apply.

The icon of the folder indicates the current status of the protection. A key that describes what the icon means is at the bottom of the form.

Folder protections persist after reboot.

There are five categories of options for RansomOff; General, Security, File Restore and Undelete and RansomOff Account.

On the general tab, under the general banner there are two options. The first has to do with full screen windows detection. What this means is that if RansomOff detects a top most window that is taking up a large portion of the screen, a notification will appear asking if you want to send the window to the back or to minimize it. This can be useful in situations where a ransom screen prevents any access to the desktop.

The next general option pertains to session 0 alerts. RansomOff only shows the alert window in the session associated with the detected process. Session 0 is the non-interactive session where things like services run and does not have a user associated with it. Because it is non-interactive, any message shown in session 0 will not be displayed to any user so a session 0 alert from RansomOff will sit indefinitely without any user notification. Therefore, if a piece of ransomware is able to run in session 0 then RansomOff has two choices. The first is to automatically block the activity and write a log entry so the user will at least be informed that something occurred. The other option is to notify the active user session, if there is one. If this option is selected, then if a user is logged on and active then RansomOff will notify that user. If there is no active user, it will auto block.

The security options relate to how the user and other software interact with RansomOff. RansomOff contains a number of self-protection methods to prevent malicious tampering but it can be switched off it needed. RansomOff is multi-session aware but if any single user closes RansomOff, it will stop it for all users in all sessions. Therefore, it can be configured that only users in the admin group are allowed to close RansomOff. Additionally, a master security password can be set that is required for any options changes, exemption additions or closing attempts.

The 'Backup and Restore' tab contains options relating to the file backup, restore and undelete capabilities. There are a number of 'Learn More' links that provide quick details on some of the options.

Max File Size: When certain file changes are detected, RansomOff will create a backup copy of that file. The size of the file has an impact on how long the file copy operation takes so the larger the file size the longer the operation time. If you work with very large files that constantly change the performance hit may become undesirable. Therefore, it is advisable to keep this value at a level that does not cause performance degradation and utilize a separate backup method for the large files. Set this value to 0 if you do not want a limit on the backup file size.

Disk: You can select the drive where you would like to have RansomOff store backup file copies. To set a limit on the disk space that RansomOff uses set a cache percentage value between 0 and 100. If you set a zero value but still enable file restore, no files will be recoverable.

Cleanup: The size of your hard disk and the set cache size determine how many files can be saved. RansomOff can make room for newer files by deleting all files at start up, if they are N number of days old or just simply delete the oldest files if the cache is filled. The size that is set for the cache size along with these options will determine how long a file is available to be restored so it is critical to restore quickly after an attack.

On Detection: When RansomOff detects ransomware activity and is confirmed by the user, RansomOff can automatically restore files modified by the ransomware process. However, you can set RansomOff to not automatically restore files but instead notify you if files are available that can be recovered.

The 'RansomOff Account' tab allows you to set your RansomOff.com account credentials and options if you choose to utilize it. When enabled, RansomOff will send information to your server based account so you can stay informed of what's happening across your RansomOff installation. A RansomOff.com account is useful for those that have many computers running RansomOff and want to stay informed of their current status. A RansomOff.com account also provides automatic settings backup which can then be imported onto other systems. A RansomOff.com account is different than the RansomOff Server. The RansomOff Server provides more visibilty and control of the RansomOff agent and is designed for SMB and enterprise clients whereas a RansomOff.com account provides limited control and is primarily for small home networks.

The RansomOff icon in the task tray provides both status updates as well as easy access to RansomOff's features.

The icons also convey status information as described below:

  • The default icon. If this icon animates, then it means that RansomOff is performing ransomware cleanup operations.
  • This icon idicates that RansomOff has been updated but the system needs to be restarted.
  • This icon idicates that RansomOff is not fully engaged with one or more protections turned off.