RansomOff Documentation Latest version: 5.2018.301.6900

Documentation is always changing, just like RansomOff, so please check back for the latest.

RansomOff is a free for home use, signature-less, endpoint security solution designed to do one thing; stop ransomware dead in its tracks.

RansomOff is fast, lightweight and effective at stopping all major ransomware families.

RansomOff protects your files on local drives, removable devices and networks shares and even protects your Master Boot Record (MBR) from malicious overwrites.

RansomOff uses a layered approach for protection with both active and passive measures. First, RansomOff has its own file back and restore capability. This ensures that if a piece of ransomware is able to bypass RansomOff's other detection methods, you'll likely be able to get your files back. Second, RansomOff automatically judges a program's risk based on numerous factors and then applies the appropriate protection strategy to catch any possible ransomware-like behavior. Third, RansomOff employs a variety of HIPS protections in order to ensure that the integrity of your system remains intact. Fourth, if ransomware is detected then RansomOff will clean up your system to get it back to its pre-infection state.

Installing RansomOff is no different than installing any other piece of software. The installer is easy to use and will guide you through the installation process. It is best to close all applications before installing as the system will need to be restarted to complete the process. When the installer starts it will check for two requirements:

  • Windows 7 SP1 or greater
  • .NET 4.5.2 or greater

If either of these are not met then the RansomOff installation will abort. If your system meets these requirements then you will be presented with the initial installation screen. Here you will be asked to select the mode that RansomOff should run in as well as an opportunity to read and accept the license terms and conditions.

If Simple Mode is selected then when you click 'Install RansomOff' the next screen will begin the actual installation process. Simple Mode installation bypasses the other options that are available in Advanced Mode such as choosing the path where RansomOff is installed, selecting MBR protection, and selecting security software to exempt. If Advanced Mode is selected then these screens are available for customization.

In Advanced Mode installation you'll have the ability to add processes to the initial exemption list. Once any processes are added the installation is complete and the system is ready to be restarted. When the installation program closes the system will be restarted automatically.

Please note that RansomOff does not add an icon to the start menu or the desktop. This is because RansomOff is designed to load with Windows and not be restarted manually. In fact, if you attempt to run the RansomOff agent (HDROAgent.exe) manually you will receive an error. While you can manually restart the service after shutting down, your protection will be degraded and some features will not work as expected. This behavior may be undesired for some but it's important to understand why it is necessary.

RansomOff is not like a regular anti-virus/malware program. It does not use signatures so its protection heuristics rely on understanding its environment. In order to have the best picture, RansomOff needs to load with Windows and constantly monitor activity. If RansomOff is closed then subsequently restarted a gap occurs in its picture and RansomOff will not have all the information it needs to make an appropriate protection decision. Therefore, if you must shutdown RansomOff, it is highly recommended to restart your system so RansomOff can get back to a proper state.

Before beginning the uninstall process, you must first exit RansomOff. If RansomOff is still running the uninstaller will display an error and exit. It is also recommended that all other processes be closed because the system will need to be restarted to complete the uninstall. Unlike the installation process, the uninstaller does not automatically restart the system.

The uninstaller can be accessed through the Control Panel's Add/Remove Programs item. Select 'Heilig Defense RansomOff' from the list and click 'Uninstall.' On the first screen displayed click 'Uninstall RansomOff' and the uninstall process will begin.

It is HIGHLY recommend that you do NOT use a third party uninstaller, such as Revo, when uninstalling. Doing so could make your system unstable.

RansomOff's user interface is based on Google's Material Design concept. For any Android users, many of the UI elements will already be familiar because the same layout style has been used in Android since v5.0. Here is just a quick overview of some of the design elements to help those that are not familiar.

  • Listbox Check Button - In most listboxes, there will be one of these round buttons on each row. There is a dual purpose for these buttons. The front icon generally indicates some status information about the list item. In this case, the open envelope means that the alert has been read.

    But it also acts as a check box so that you can indicate you want to select the item. Once clicked, the button will flip over and display a check mark. The check mark means that the row item is selected which you can then perform other follow on actions against such as deleting the item.

  • Floating Menu Button - If available, the floating menu button is found in the lower right corner of a list box. The purpose of this button is to provide context menu options for actions against the items in the box. When you put your mouse over the button, a context menu will grow upwards and give options relating to the items.

  • Dropdown Menu Button - This three-vertical dot button is located in the upper right of a window and is designed to provide menu options.

  • Toggle Button - The toggle buttons are like check boxes to indicate on/off or selected/unselected status. When the circle is to the left that indicates the button is off while the circle to the right indicates on.

RansomOff has two modes of operation designed to accommodate different level of users. The two modes are simple and advanced.

Simple Mode is meant for inexperienced computer users who may not understand the various options and alerts that RansomOff provides or for experienced users who just don't want to be bothered.

When in Simple Mode, RansomOff will set the protection settings to a reasonable level designed for a balance of security and usability. When ransomware or some other threat is detected, RansomOff will automatically respond without any alerts to the user. The only indication that RansomOff responded to a threat is through the task tray icon that will briefly animate. While in Simple Mode RansomOff will not perform a full system cleanup however a cleanup can be requested through the Alerts windows. Simple Mode does not support App Lockdown or Folder Protection. To summarize Simple Mode:

  • No alerts
  • Pre-defined HIPS settings
  • Limited UI
  • Automatically blocks threats
  • No automatic cleanup

Advanced Mode is the full featured mode of RansomOff. All options are available and you will be alerted if a threat is detected.

The initial mode of operation can be selected during installation, however switching between modes once RansomOff is running is easy. You can switch to Advanced Mode by clicking the button on the UI and you can switch to Simple Mode from the task tray popup menu.

The main RansomOff window is designed to give quick information on the various components and overall status of RansomOff.

In both Simple or Advanced Mode, a large pulsating green shield icon indicates that RansomOff is protecting your system while a similarly sized pulsating red alert icon means that ransomware protection is turned off. There is a toggle button in the top left corner of the window which allows quick protection changes. While in Advanced Mode, the main UI also shows the status of the various sub-components of RansomOff. Here you can see if App Lockdown, Backups, Folder Protections and HIPS-Lite is enabled by the color of their respective icons. A light green glow indicates it is enabled while a plain icon means it is disabled. Clicking on the icon causes the icon to flip over to give you access to a toggle button to change the status and to a settings button that will open their respective settings.

There are additional buttons along the bottom of the interface that provides access to more settings. Hovering over most buttons and toggle switches will cause a tooltip to appear which will give some more indication of the purpose.

There are two aspects to RansomOff alerts. There is the actual alert message you receive when ransomware activity is detected and then there is the alert logging that saves information about all detected and user initiated activity.

You can open the alert log from the main window or through the right-click menu from the task bar icon. Once open, you'll see a list of all recorded alerts with the newest alerts first. The alert title gives an overview of the alert while the sub title displays the date/time of the activity. Simply clicking the alert item will cause the alert details to appear. Depending on the alert type there may be additional options below the alert details. It's possible to exempt a process, delete a process or registry key or to request a cleanup from the alert window.

The alerts can also be deleted. You can delete individual alerts through the 'Delete Alert' button that will be displayed below the alert details or you can delete in bulk by click the three vertical dots located beside the maximize window button. This will display a menu that provides additional deletion options. To delete selected alerts, you must first click the alert icon (which will either be an open or closed envelope). Once clicked, the icon will change to a check mark.

The alerts can also be filtered by read and unread alerts. To toggle the filter, simply move your mouse over the large button found in the bottom right corner. That will cause a menu to pop up which then lets you toggle the read and unread display filters.

When ransomware activity is actually detected, then an alert popup will be displayed. The front of the alert window will display basic information about the threat but if you would like more details, you can click the 'View Details' button which will flip the alert window over to display additional information about the threat. The backside of the alert will also allow you to select which course of action to take.

Finally, RansomOff has a strong cleanup ability designed to get your system back to the point before the infection occurred. RansomOff will delete files, registry keys, and scheduled tasks that may have been created by the threat before RansomOff detected the malicious activity. When RansomOff is performing the cleanup, a full screen popup is displayed. However, this popup can be hidden and turned off completely in the options.

As an added layer of protection, RansomOff provides you the ability to control what programs run on your system. App Lockdown can be enabled or disabled on both the main windows (in Advanced Mode) or through the App Lockdown window itself.

There are a few ways that process filtering can occur. They include:

  • All processes: Every process that runs will have a notification shown unless the process has already been exempted.
  • New process execution: RansomOff keeps a log of all processes run during a session. If a process has not already executed then RansomOff will show a notification. This log is cleared on reboot.
  • Exempt Windows processes: This option applies to the two filter options above. If selected, all Microsoft signed executables will be automatically exempted and no notification will be shown. However, the various Microsoft scripting tools such as PowerShell will still cause a notification.
  • Exempt signed Program Files: Similar to the Windows option, when selected any signed process located in the Program Files directories will be automatically exempted.
  • All unsigned processes: Any process that is unsigned, unless previous exempted, will cause a notification to be shown.

App Lockdown can be auto-started based on a process trigger or after a set period of time past login. Process triggers can be added by clicking the settings button located to the right of the option then simply adding the process you want to act as a trigger. When that program runs, App Lockdown will automatically enable if disabled. App Lockdown can also be automatically turned off when the set processes exit. If the option is checked, when all auto-trigger processes close, App Lockdown will turn off.

In order to make App Lockdown configuration easier, the latest RansomOff version has added quick set button options. Clicking one of the buttons will automatically configure and populate the settings. Currently, only 'Web Lockdown' and 'Reset' are available but additional quick set settings may be added in the future.

Notifications are shown in the lower right corner of the screen. They allow you to allow the process to continue executing or to deny it which cause it to close immediately. You also have the option to remember the choice you made. If the toggle button is checked, then an allow or block exemption will be added and evaluated next time that process is run.

The exemptions can be found on the 'Exemptions' window which is accessed from the main form or through the task tray menu. You can remove existing exemptions or change their status from Allow to Block or vice versa. Exemptions can also be modified directly in the list with an option to add wild cards to the path. In order to modify in place, just select the file path and then perform another single click. This will cause a textbox to hover over the existing path which you can then edit. When done, just hit enter.

It's important to note that App Lockdown does not persist through a reboot. That is, unless you have a trigger defined you will have to manually restart App Lockdown when your system starts. Also, App Lockdown will disable itself when the system is locked and renable when unlocked.

RansomOff has its own file backup and restore capability. This is designed to be a last line of defense in case RansomOff's other detection heuristics fail. RansomOff will make a copy of a file based on certain actions and save it away in protected space in case the user wants to restore it at a later time.

There are a few different modes of operation for the restoration. First, depending on the options, if RansomOff detects ransomware activity and the user confirms it then RansomOff will either automatically restore any files modified by the offending process or just notify the user that there are files available to restore. If the options are set for manual restore then the 'Detected Restore' tab will contain a list of the detected processes in a drop down combo box. When a process is selected, the list box will fill with the available files that can be restored. If a file is selected, some basic information about the file is displayed in the text box to the left of the file listing. Files can be restored individually or in bulk or they can be deleted individually or in bulk if its determined that they are not needed.

A second method of restoring files entails identifying the currently running process that made changes that need restored and then selecting any additional options. Performing a restore in this manner can be useful if the ransomware was not caught by RansomOff but is still running with its ransom screen still showing.

Files can be searched to find a particular file that needs to be restored. If found, that file can be restored individually or all files modified by that same process can be restored as well. This method of restoration is useful if the ransomware process is no longer running and you know at least part name of at least one file that was modified that needs to be restored.

In addition to the restoration capability, RansomOff also contains a fail safe method to undelete files that may have been inadvertently deleted by RansomOff due to misidentification issues. The undelete capability can also be useful if a ransomware artifact is wanted for further evaluation after it was deleted. It works similar to the restore by name capability where you can search for the file that was deleted.

Finally, just like other exemptions the Backup and Restore capability can have its own exemptions as well. Any file modified within any exempted folder will not be backed up by RansomOff. This is useful if you have folders with large files such as videos or ISOs or if you have other methods of secure backup available. Because the backups take time to process and require storage space, any exempted path added will make RansomOff more efficient in backing up the files that are truly important.

The exemption window provides four different exemption lists that RansomOff uses in different situations. The first is the protection exemption list. Any process added to this list is considered 'safe' and RansomOff will not monitor activity or alert against it. There is some risk with exempting processes because it's possible they could be coopted by malware but RansomOff has some heuristics designed to prevent that. The second list is the block list. The block list are processes that RansomOff will automatically block from executing. The third list is the App Lockdown list. This list is referenced by App Lockdown to provide pre-made decisions to determine if a process should be allowed or blocked. And the final list is the backup exemption list. This list is used to stop RansomOff from backing up files located in the listed directories.

Entries to the protection exemption list can be added during installation or at any time when RansomOff is running. Individual processes can be added as well as folders which will cause any process within that folder to be exempted from protection.

It's an unfortunate fact that all software may impact other software in inadvertent ways. Therefore, RansomOff provides an exemption capability to make sure it does not interfere with other processes. As a piece of security software, other security software are the most likely to experience interference therefore RansomOff will automatically look for installed security software and exempt them for you. This automatic searching is done via WMI so the security software needs to be registered with Windows for RansomOff to find it. If other security software is not in your exemption list automatically, then you'll need to add it manually.

RansomOff maintains a block list of all software detected and confirmed as ransomware. If the same file tries to execute again, RansomOff will automatically stop it. Files can only be removed by the user from the block list once added by RansomOff. The user cannot add files themselves.

RansomOff has the ability to provide additional protections to specific folders. These protections apply to all processes except for any that are exempted. The five additional protections that can be added are:

  • Deny: All access to the folder will be denied. Non-exempt processes cannot list the files, create new or open existing files.
  • Deceive: The added folders will appear empty to all non-exempt processes. Even if a file name is known, that file cannot be opened. New files and folders can be created in the directory but will not be visible or accessible.
  • Hide: The added folders will be hidden from all non-exempt processes. File operations can still occur within a hidden directory if the existing files are known.
  • Read Only: The added folders will be read only to all non-exempt processes. This means files can be opened but cannot be written to or deleted. New files and folders also cannot be created.
  • No Execute: Any executable located in the added folders will not be able to run. There are no process exemptions for this setting.

A folder can only be added to one of these four protection categories at a time. However, the same exempted process can be used over again. A folder must have at least 1 exempted process before the protection takes effect. Non-system root folders can be added to all protections except for 'Hide.' Identification is based on drive letter so if you remove your device and after it is reinserted gets a new drive letter the protections will not apply.

Folder protections cannot be nested. That means if you add 'C:\users\username' to a protection category then you cannot add 'C:\users\username\desktop' to a different category.

The listbox icon of the folder indicates the current status of the protection. An eye with a line through it indicates that the item is not enabled while a regular eye icon means it is enabled. A check mark simply means that the folder or application is selected.

Folder protections persist after reboot.

HIPS-Lite is an additional layer of protection that can be configured and enabled to detect and stop ransomware even earlier. The reason it is called 'HIPS-Lite' is because it is focused on behaviors that ransomware typically use unlike another HIPS solution that are more broadly focused on all types of malicious behaviors. However, the HIPS-Lite detections can still be useful against malware other than ransomware.

There are ten HIPS-Lite settings that can be individually configured and toggled on or off. Seven of the settings can be tailored to alert at a level that works best for you. One important thing to understand about RansomOff's HIPS-Lite notifications is that it's not necessarily making an assessment of maliciousness when it displays a notification. This is because the settings allow for various levels of filtering and if it is set at a permissive level then you'll get more notifications than if it's restricted.

HIPS-Lite alerts are generally only triggered once per-process. On the first alert that is triggered, the user has the option of allowing or blocking the operation. Allowing the operation internally sets a flag in RansomOff that will cause any future HIPS-Lite triggers to be ignored. Blocking an operation will not only block the action that triggered the alert but will cause RansomOff to block most other subsequent operations by that process. In most cases, that will lead to the process terminating. If block is selected with the cleanup option checked, then RansomOff will block the operation, terminate the application and perform a cleanup of any files or registry keys created by the application.

  • Directory Listing: This will trigger if an application performs a directory listing over pre-set folders.
  • Executable Drop: This will trigger if an application writes an executable file to the disk.
  • Office/PDF Security Bubble: RansomOff identifies the processes that are associated with Office and PDF documents and when one of those processes are executed, RansomOff will prevent those processes from starting any new child process or from writing an executable to disk. The process list can be modified to add or remove programs but there is no alert associated with this setting. RansomOff will just quietly block the offending action.
  • Process Hollowing: Process hollowing is a technique designed to hide malware inside a legitimate application. RansomOff has detections heuristics to identify if this has occurred and will check every new process as it loads. There is no configuration options for this setting however, you can turn the hollowing check off.
  • Protected Folder Write: RansomOff's folder protections require that you exempt at least one process so that you can still access your data. Ransomware could take advantage of this by leveraging that process to perform malicious writes. This setting will notify you if a protected folder is written to regardless if the process is exempted or not.
  • Registry Modifications: Ransomware, and most malware, can tweak certain registry settings for a variety of reasons. RansomOff monitors a list of places in the registry that generally should not be modified but can be leveraged by ransomware.
  • System Executable Abuse: Ransomware will use system executables found on every system in order to perform certain tasks. For example, to delete shadow backups ransomware will invoke VSSAdmin. RansomOff monitors process executions and will kill any system process from a select list started under suspicious circumstances. There is no alert associate with this setting.
  • System Process Protection: Similar to executable abuse, ransomware will also leverage currently running processes by injecting code in them. RansomOff can preempt the injection so it can no longer use the system process to do its bidding. There is no alert associated with this setting.
  • System Root Change Detection: Ransomware, and some malware, may try to modify existing executables located in the Windows directory. While not a common technique it is still something that RansomOff can detect and protect against.
  • Top Most Window Detection: Ransomware generally likes to block the screen so that the ransom demand is front and center. This prevents any use of the system while the screen is locked by the ransomware. RansomOff can detect if the full screen is being blocked and can intervene so you can get your desktop back.
  • Windows Start Up Change: Processes and libraries can load with Windows by modifying both the file system and the registry. RansomOff monitors both for changes that may indicate that a process is attempting to run at start up.

Most of the HIPS-Lite settings allow for filtering to cause more or less alerts. There are four primary options available that control the level of notifications received:

  • All processes - As the name suggests, any process will cause the alert to trigger. This is the most permissive setting.
  • New process execution - RansomOff keeps track of application activity. If a process has never been seen running before then it will trigger an alert. This activity list resets every reboot.
  • Exempt installed processes - This setting is a filter for the two settings above. Essentially any process that RansomOff determines is legitimately installed on the system will be filtered out and not alerted against.
  • All unsigned processes - Any process that does not have a valid digital signature will cause an alert to trigger.

It's important to note that these settings are guidelines for RansomOff but are not strictly enforced to the 'T'. This is because RansomOff performs its own assessment based on a number of factors and if it determines that an alert should be shown regardless of the settings, it will.

Additionally, once a HIPS alert is acted on by you, the user, allow or block RansomOff will no longer monitor that process for other potentially malicious activities.

RansomOff can be configured to communicate with the RansomOff Server in order to provide command and control over a deployment of RansomOff clients. This is useful if you want to use RansomOff on multiple machines and maintain visibilty on all of the installs.

When configured, RansomOff will push a variety of data to the server and will also periodically pull updates. This allows the administrator the ability to remotely configure and monitor RansomOff from a simple web interface.

Before this can occur though, RansomOff must be configured to point to your server instance. Simply enter the server's IP address and port it is listening on and then slide the button in the top left corner of the Network Settings window in order to enable remote reporting. When enabled, RansomOff will attempt to first connect to the server to ensure it is valid. If it is not, then an error will be shown.

There are four categories of options for RansomOff; General, Security, File Restore and Undelete along with the ability to import or export your settings.

On the general tab, under the general banner there are three options. The first sets whether RansomOff should automatically update itself when an update is available. If not checked, then RansomOff will notify you that an update can be downloaded. The other options deal with user interface related settings. Unchecking 'Enable animations' will stop RansomOff from employing some (but not all) animation effects. And second has to do with the cleanup window that is displayed when RansomOff is removing ransomware debris. If unchecked, then the cleanup window will not be displayed.

The next general option pertains to session 0 alerts. RansomOff only shows the alert window in the session associated with the detected process. Session 0 is the non-interactive session where things like services run and does not have a user associated with it. Because it is non-interactive, any message shown in session 0 will not be displayed to any user so a session 0 alert from RansomOff will sit indefinitely without any user notification. Therefore, if a piece of ransomware is able to run in session 0 then RansomOff has two choices. The first is to automatically block the activity and write a log entry so the user will at least be informed that something occurred. The other option is to notify the active user session, if there is one. If this option is selected, then if a user is logged on and active then RansomOff will notify that user. If there is no active user, it will auto block.

The security options relate to how the user and other software interact with RansomOff. RansomOff contains a number of self-protection methods to prevent malicious tampering but it can be switched off it needed. RansomOff is multi-session aware but if any single user closes RansomOff, it will stop it for all users in all sessions. Therefore, it can be configured that only users in the admin group are allowed to close RansomOff. Additionally, a master security password can be set that is required for any options changes, exemption additions or closing attempts.

The 'Backup and Restore' tab contains options relating to the file backup, restore and undelete capabilities. There are a number of 'Learn More' links that provide quick details on some of the options.

Max File Size: When certain file changes are detected, RansomOff will create a backup copy of that file. The size of the file has an impact on how long the file copy operation takes so the larger the file size the longer the operation time. If you work with very large files that constantly change the performance hit may become undesirable. Therefore, it is advisable to keep this value at a level that does not cause performance degradation and utilize a separate backup method for the large files. Set this value to 0 if you do not want a limit on the backup file size.

Disk: You can select the drive where you would like to have RansomOff store backup file copies. To set a limit on the disk space that RansomOff uses set a cache percentage value between 0 and 100. If you set a zero value but still enable file restore, no files will be recoverable.

Cleanup: The size of your hard disk and the set cache size determine how many files can be saved. RansomOff can make room for newer files by deleting all files at start up, if they are N number of days old or just simply delete the oldest files if the cache is filled. The size that is set for the cache size along with these options will determine how long a file is available to be restored so it is critical to restore quickly after an attack.

On Detection: When RansomOff detects ransomware activity and is confirmed by the user, RansomOff can automatically restore files modified by the ransomware process. However, you can set RansomOff to not automatically restore files but instead notify you if files are available that can be recovered.

The task bar menu can be accessed by a right click on the RansomOff icon. This menu is only available when in Advanced Mode. In either Simple or Advanced Mode, the main UI can be accessed by a double-click on the RansomOff icon.

The menu provides quick access to the various features of RansomOff so you don't have to open the main window. The menu also provides the ability to quickly toggle folder protections right from the menu. A checkbox on the folder sub menu means that the folder protection is enabled while a blank space means it is disabled.

RansomOff makes use of the task tray icon to convey information about RansomOff's status. The following list are the various icons you may see:

  • This is the normal icon of RansomOff. This means that RansomOff is loaded and ransomware protection is enabled.

  • This icon indicates that ransomware protection has been disabled.

  • This is part of an animation icon that displays when RansomOff is performing a cleanup. In Simple Mode, this animation will be the only indication that RansomOff blocked a threat.

  • This is also part of an animation icon to indicate that an update is either ready to be applied or already has been applied.