RansomOff is an entirely free anti-ransomware tool from US security vendor Heilig Defense.
The program markets itself as "the world's most advanced anti-ransomware solution". That's a very big claim, but browse the feature list and RansomOff does seem to deliver more than most of the competition.
For starters, you get a signature-less detection engine which looks for threats by their behaviour, which in theory should block new and undiscovered malware strains.
The program protects local, removable and network drives, and even shields your MBR (master boot record) from attack, an extra you rarely see in free anti-ransomware software.
RansomOff uses multiple techniques to detect threats, including looking for programs adding themselves to your startup lists, changing system files or using process hollowing (replacing the content of a legitimate process with malicious code).
A future commercial version will include enterprise-level device management, with the ability to monitor and control multiple RansomOff agents from a central web console. There's no information yet regarding when this might be released, or how much it will cost.
RansomOff doesn't require any form of registration to download. Installation is mostly straightforward, although it does have one unusual option. You're immediately offered a chance to whitelist security or other applications that you don't want to be blocked by the program, a sensible extra touch.
We rebooted after installation and quickly noticed a problem. Our Office 2016 applications refused to start, with no clear error message explaining why. Whitelisting the Office folder restored normal operations, but this does indicate that RansomOff can cause major issues with other software.
Checking out RansomOff's installation revealed two major background processes sharing more than 70MB RAM. That's bulkier than some of the competition, but unlikely to make much difference to the average PC.
Browsing RansomOff's files revealed no real issues, either. The executables were digitally signed, the components used were much as we would expect, and its files and processes were all properly protected from deletion. Even if malware noticed RansomOff's presence, it wouldn't be easy to disable.
The program includes some interesting bonus features. As well as offering general ransomware protection, it has a complete folder management system. There are options to hide or restrict access to specific folders, or make them read only. It can also hide the contents to all but approved applications, so anything else that accesses the folder will think it's empty.
A clumsy interface ignores the usual approach of making everything available from a single console, instead forcing you to control features and open separate dialogs from a system tray icon.
We quickly noticed that most dialogs were set to be on top of all other windows. If you want to open Explorer at the same time, maybe to inspect a particular folder, you might have to move the RansomOff window out of the way before you can see what you're doing. We can understand this approach for alerts – it's important these can appear above ransomware top-level windows – but it makes less sense for configuration dialogs.
The interface doesn't always work as you'd expect. The 'Protection' dialog displays what look like on/off switches for each protection type, but clicking them has no effect: they're just graphics. You must toggle them on or off by clicking a text link, instead. That wouldn't be a major problem, except as soon as you click one, the dialog disappears. If you want to toggle all five protection types, you must open the same dialog five times.
Other issues appeared over time. We noticed that if we toggled a RansomOff protection setting while working in Notepad, the current date and time was inserted into our document as soon as the RansomOff dialog closed. Was the program simulating a keypress? Maybe an F5 to refresh some windows, forgetting that F5 means ‘insert date and time’ in Notepad? It didn't matter much in this case, but who knows what a simulated F5 could do in other applications.
RansomOff detects more signs of malware than other anti-ransomware packages, but we found it raised more false alarms, too. We got an alert complaining of ‘process hollowing’ detected in an Epson software component. Experts will probably appreciate the extra details, but we'd hazard a guess that most users won't have the faintest idea what ‘process hollowing’ might be and what it might mean for them.
We've seen the developer suggest that many RansomOff problems can be fixed by making sure you exempt security and maybe other programs. That might be true, but it's still an issue when compared to other tools, which typically coexist with most applications without causing any conflicts at all.
Measuring the performance of anti-ransomware tools is a real challenge. Their big claim is the ability to detect new and previously undiscovered malware, but you can't test this unless you have samples available.
What we can do is find out how a tool deals with known ransomware. We tried running Cerber on a RansomOff-equipped system, and after a short pause it popped up an alert. This gave us the option to block the program, or allow it, which introduces the possibility that a user might make the wrong decision. But it's also more flexible, and helps avoid the hassle of any false alarms. We chose to block the action, the process was closed and our data remained intact.
Next up, we ran KnowBe4's RanSim, a smart testing tool which simulates 10 types of ransomware behaviour. RansomOff jumped in immediately to block the very first test, so we didn't get a full report, but once again it showed the program was detecting threats as they arose.
Finally, we turned to RanTest, a ransomware simulator of our own. This is extremely basic, but because the code has never been released, we know that anti-ransomware apps won't have encountered it before.
Despite its obscurity, RanTest couldn't escape detection, and wasn't able to encrypt a single file. RansomOff paused the process immediately, displayed its alert and asked if we wanted to kill the threat. One click and we could continue as normal.
Other anti-ransomware tools often leave the malicious executable intact, but RansomOff goes further here, too. A ‘permanent block’ option deletes the offending file and adds it to a ‘Blocked’ list, ensuring you can't run it again and helping to protect against further danger.
RansomOff is an interesting choice for experts, who'll love the comprehensive protection and advanced tweaks on offer. The interface needs work, though, and it's possible there will be major conflicts with other software.