name="quietman7" post="4454908" timestamp="1519934729"
Cybereason RansomFree is a program which deliberately creates
hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually
trap (
bait)
folders and
"canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "
Honeypot Detection" or "
Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.
This is
Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this
topic.
Entrapment Protection
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!
Common dummy folder locations with
random names typically include My Documents, Desktop and
common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
RansomFree also deploys a “
Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.
If you attempt to remove these files and folders, RansomFree will re-create them.
In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.
The use of
trap (
bait, canary)
files and
folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.