Review Of Malwarebytes New Anti-Ransomware Tool (With Silent Installation Instructions)

Malwarebytes Anti-RansomWare (MBARW) was formerly known as CryptoMonitor from EasySync software until they were acquired by Malwarebytes. We tested this tool in our office with a physical (eg. not virtualized) Windows 7 64-bit computer, and threw a couple of ransomware infections at it. Please note that Malwarebytes AntiRansomWare is an alpha-quality tool, which means that only IT people should be testing it, and only in a test environment.

We ran the latest CryptoWall 4.0, the ECC-encrypting TeslaCrypt, and a few others notable ransomware samples. Much like CryptoDefense, it does not stop the ransomware dropper samples from downloading the actual encrypting virus payload, but it did render the executable inert on the approximately 30% of samples that it did catch. It also alerted us that the virus was quarantined at this point.

It is not signature-based, and Malwarebytes states that it is not heuristics-based. Our guess is that it is behavior-based and/or has different signals that it uses to give it’s monitored programs a score (for example, it connects to a foreign IP address AND it traverses directories AND attempts to make registry changes AND attempts to delay execution [to prevent advanced virtual-machine based antivirus spam firewalls from thoroughly analyzing it] AND attempts to connect to TOR2Web services AND attempts to launch at startup). Each of these behaviors would increase the likelihood that it is ransomware. Eventually the technology in MBARW should become part of the mainstream Malwarebytes program, much like other technologies that were piloted with separate tools, such as Malwarebytes Anti-Rootkit and Malwarebytes Anti-Exploit. MBARW caught the newer samples. It did not block TeslaCrypt, CTB-Locker (possibly cryptolocker2015 based on the top of the window?), CryptoFortress AKA CryptoLocker2015BreakingbadPay AKA Many samples may not have been ransomware, since it’s difficult to know for sure. Some required .NET 4.0, and some were 16-bit executables and would therefore never run on a 64-bit computer! One even disabled the ability to start in safe-mode by pressing F8. Our testing came to a halt when an adware program took over Internet Explorer with 100’s of Windows and we had to wipe the machine and melt the hard drive in the smoldering cauldron of Mount Morder from whence it came :-).

An interesting thing to note is that quite a few ransomware programs refused to proceed any further when they noticed that vssadmin.exe is missing and deleted themselves. Perhaps they are assuming that there are stronger defenses ahead, or perhaps it is an anti-obfuscation method to hinder further analysis by antimalware engineers. Also some ransomware were seen that encrypted some, but not all, .exe files in the current directory and in child directories down the path. Many were seen which happily encrypt other ransomware’s HELP_RESTORE_FILES {.txt, .png, .html} documents, leaving files with incredible names such as HELP_RESTORE_FILES.exx.ecc.CryptoLocker2015BreakingbadPay.Crypted! and other amusing names. Being encrypted multiple times guarantees that the files will never be restored even if the ransoms were paid, because the payment instructions were encrypted multiple times! Perhaps there is a competition among malware authors to destoy the others, since all known true ransomware will only encrypt the files that they are targetting, to prevent system instability or total failure which would make payment impossible. An artifact of this fact is the fact that Word and Microsoft Office almost always need to a repair install, as the Word template gets encrypted (wow, Microsoft actually designed something smart for once)!

Also notable is that giving a file an unusable extension such as .good ensures that it will not be touched. Perhaps file extension obfuscation or MacOS style Resource Forks that denote which editing program launches which file, will be a future tactic against the scourge of ransomware on the Operating System level. Perhaps an enterprising author could come up with a shareware utility that chooses a random extension for all Word files, and another for Excel files etc…. Then when the tool noticed that a file is being sent or emailed or copied to external storage or networked storage, it could be renamed to the right extension. We have yet to see a ransomware that encrypts all files. It could be accomplished via UEFI boot viruses, which are known to be in the wild, but most ransomware seems to assume that the person only has one computer they can access, and it would interfere with the victims ability to pay.

Malwarebytes AntiRansomware can be download from the Malwarebytes Forum or linked from their most recent blog post. It runs on XP and later. Early testers beware: this tool can cause problems if the installer is not launched as an administrator. Some users were to not be able to log on to Windows, Mcafee was detected as a ransomware. It also caused trouble with many other programs such as: Kaspersky, Nvidia graphics drivers, Allways Sync, Webroot,, VIPRE Antivirus, Chrome, GTA V, TrustedInstaller.exe, Microsoft’s Jigsaw puzzle, Clean Master, Steam, Norton Security, CCleaner Pro, Adobe Update etc, Internet Explorer… so it should be considered alpha-level at the moment.

In the future, if you are deploying MBARW company-wide, you can script it’s silent installation with this command (it uses JRsoftware’s InnoSetup for installation):


To silently uninstall the program, use this command:

"%ProgramFiles%\Malwarebytes\Anti-Ransomware\MBARW_Setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

Caveat emptor: Like Malwarebytes Anti-Exploit (which is for protecting Web Browsers from zero-day exploits), the software might only be free for testing purposes during the beta period.

If you are in need of shoring up your business’s network defenses, we also offer AntiVirus packages that prevent all unknown executable’s from making web connections (such as ransomware phoning home and attempting to obtain their private encryption key or to allow a hacker access to the infected computer) and we also offer exactable white-listing solutions that can be deployed globally and updated easily.

Contact us for more details


Recent Posts