Strengths: Shows a lot of promise with a little rethinking of its approach.
Weaknesses: Forces use of a domain controller, and assumes loss of some number of unrecoverable files is considered acceptable, Slow response – 17 seconds when encryption can begin much faster – to ransomware and no rollback of encrypted files.
Verdict: A promising product not quite ready for prime time.
CryptoStopper addresses the infection phase - Phase 2 - of a ransomware attack. It is very limited in its functionality in that it detects encryption activity only on a network share. There are lots of reasons that we believe that this is not enough. First, we know that not all users save documents to share drives. For example, users traveling often keep working documents on their endpoint devices. Second, drafts often are kept on the endpoints with the share drives used for sharing and archiving. Finally, there are users who never come into the office - home workers, telecommuters, etc. - and they find the access to share drives over the internet to be cumbersome so they keep documents on the endpoint machines. None of these are protected from ransomware, especially given that the endpoint is the target of the ransomware initially.
Another issue that we have with this product is that it waits until it sees encryption actually occurring as opposed to seeing the encryption mechanism starting. It accepts that for some very short period of time encryption will occur that cannot be interdicted. With that in mind - likely an accurate assessment - it has no mechanism for automatic rollback of damaged files.
It assumes a time to detection of 17 seconds which we believe is far too long in light of the efficiency of today's ransomware. While it is true that, depending on the delivery mechanism, it may take up to two minutes to start encryption, our tests revealed unprotected files that could not be recovered. It also has no mechanism for removing the ransomware; rather, it depends on in-place anti-malware.
We set up a test bed with a server containing three shared folders and an endpoint sharing those three folders and their content. We populated the shared folders with over 46,000 files and ran our ransomware. For both Locky and Satan RaaS, we saw total encryption when we ran them on the endpoint. Every file in the share drives was encrypted on each of our two runs. Having confirmed the vulnerability of the shares, we reverted the VMs and installed CryptoStopper per developer instructions. We ran Locky. Locky is the number one ransomware in the wild at present and it does its damage with blazing speed.
There were quite a few files encrypted before CyptoStopper was able to interfere. We had the same results with Satan - with the exception that fewer files were encrypted. Satan is quite a bit slower than Locky. Those damaged files could only be recovered from backups if backups existed and if the malware had not been backed up as well.
Additionally, the product wants a domain controller. Not all businesses - SMBs, for example - use a domain controller. Setup was a bit convoluted and the documentation did not give us enough. Support was helpful and we got things working properly. However, there is no easy way for the program to tell the user that it has done its job. We don't mind that if we have high assurance that the product has - between interdiction and rollback - done its job. We don't want users panicking because they've suffered a ransomware attack that did no damage.
The product runs only on MS Server 2008SP2 and above. 8/5 support is included and offers email, phone and chat support. The website is mostly a marketing site with a few articles relating to product support. The documentation was a bit weak. The product shows a lack of maturity and needs to be rethought in light of today's threatscape and enterprise architectures. It shows some promise but it is not quite where we would like to see it at this point.