A glimpse on how we test Ranstop (the human approach)

Temasoft Labs is a particular mixture between humans and machines, very similar to a microbiology laboratory. They both do the same thing, search and analyze disease-causing microorganisms because this is the first step in fighting this particular type of infectious agent: ransomware. Just like their biological counterparts, ransomware attacks IT infrastructure of any kind and any size in many different ways. The Lab has to simulate such environments to make ransomware fully detonate and do their job. From slow virtual machines to server grade hosts, we’ve had do add everything.

Temasoft Ranstop, just like human medicine, will cure the infected PC and prevents further damage. It is successfully doing this because of the hard work of both humans and machines from the Lab. But how did it got here?

Our product takes a different approach in this fight with ransomware, by analyzing their behavior instead of using classic signature-based scanning engines. It is a teamwork across all components. Each and every reads, writes, copies, edits, delete operations, etc. go through Ranstop at the very lowest possible level of the operating system, the kernel. By doing this, we can make sure nothing will ever be missed.

Testing the driver is quite difficult because the kernel mode is an entirely different world than the user mode we all got used to. It is technical to the point where very special skills are needed just to understand it. To speed up the process, the Ranstop team is using a Temasoft developed software to analyze ransomware behavior and test Ranstop accuracy, called Temasoft FileMonitor. This is our microscope. The software reports file activity and also uses the driver to perform other specific actions.

Rate detection at the time of writing this article is 100%, meaning no existing ransomware got away or held hostage any files. Because we love the number “100”, with every release, we perform “the 100 test”, which consists of executing 100 different and working ransomware on the same host with Ranstop installed and verify that no file is ever lost. The samples contain ransomware from different time periods, different type of attacks, various encryption algorithms, signed and unsigned, etc. In short, “the 100 test” contains strains of the “influenza” virus to the fatal “Ebola.” After successfully executing all samples, we verify that the machine is still functional and all files were successfully rescued (restored). This is how Ranstop looks like after the test:

 

 

We are aware that ransomware evolves fast and in the future there might be rare occasions when ransomware circumvents our detection engine. However, our final goal is to keep data safe so that the user will never have to pay the ransom even when we cannot stop the ransomware. This is how we stand apart from traditional AV and backup tools, which often fail to protect the user’s data being part of the ransomware attack. To achieve our goal, we included a very robust automatic file recovery system, also protected by our driver and we dedicate a good amount of effort to test this functionality in different scenarios to make sure the protection of the backup repositories holds, so that users’ valuable files will always be safe.

Last, but not least, apart from internal tests, we also rely on feedback received from users and communities of IT professionals for which we are very grateful. Special thanks to the members of the MalwareTips community who have helped us with detailed reviews and ransomware samples.

For more information, follow us on social media and subscribe to our newsletter.