ZoneAlarm Anti-Ransomware: Check Point’s perfect defense against ransomware

22 01 2019

Ransomware threats aren’t a problem anymore. At least not as it used to be. Despite the popularity of cryptominers, bank trojans and mobile malware, the first place in all rankings is held by fileless malware, by which all the attacks begin. Other types of malware are estimated to be undetectable by signatures in 30% of all cases. These data concerning Q3 2018 were prepared by German network devices manufacturer, WatchGuard. This means that every third malicious file is a zero-day virus (it uses undiscovered software vulnerabilities or techniques to bypass security measures). The presented data gives food for thought, because we clearly see the rising trend of threats undetectable with traditional methods.

WatchGuard reveals that threat landscape nowadays is totally different from the one  that was present two years ago. However, part of sociotechnic attacks is still focused on extorting money using cryptography techniques.  On the other hand, Check Point shows detailed statistics concerning threats with focus on ransomware attacks:

Ransomware statystykiZagrożenia w Polsce

The most serious encryption attacks were conducted in 2017. The malware was spread all over Europe using previously unprecedented vector. Ethernelblue and Double Pulsar exploits, using SMB protocol vulnerability, were stolen from NSA and caused global chaos induced by, ironically, US secret services. Hacking tools used for gaining access to civilian computers were the main reason behind huge outbreak of low-quality lowdroppers and downloaders. Mass-produced malware samples caused percentage drop in cryptographic attacks. However, we still need to keep an eye on ransomware attacks which will not allow to be easily forgotten. Couple of weeks ago we observed increased activity of GandCrab ransomware, also in Poland.

Can encrypting malware harm files protected by ZoneAlarm Anti-Ransomware? We have checked that at the producer’s request.

ZoneAlarm Anti-Ransomware

Check Point ZoneAlarm Anti-Ransomware – the basics

 It is the first seconds after initializing a fake invoice or a notification of postal delivery that matter the most. This is when ransomware starts searching and encrypting the files – usually with AES-256 or AES-128-CBC algorithm. Then, on the server controlled by the attacker, public and private keys are generated by RSA algorithm. (usually RSA-2048 or a stronger one). This kind of public key is transferred onto the victim’s computer. There are also ransomware samples that already have a public key embedded in the code. Ransomware uses the public key to encrypt the earlier AES-256 key which was used to encrypt documents, movies, databases and computer games files. The issue of factorisation has been an insanely tricky riddle for modern computers – finding divisors of a gigantic prime number such as 2^2048 generated during the creation of public and private key. This process would take millions of years for home computers. Thus, an express solution to such math problem is impossible (finding two numbers which product yields said gigantic prime number). Should anyone pull it off, they could be rewarded with 1 000 000 USD prize for solving one of the major mysteries of the millenium which are the prime numbers. This is why, in terms of cryptography, huge prime numbers bring an advantage to the offenders. A movie titled “The curse of Prime Numbers” provides a great insight into the problem. The author explains why the efforts taken to break the RSA-2048 are doomed to fail.

Within a reasonable time, and without paying the ransom, it’s impossible to neither calculate the private key nor decipher the files, even for quantum computer unless:

1. Forensic bodies such as European Cyber Crime Centre – EC3 or Europol, together, take control over the server that hosts the halves of RSA keys or lead to the offender’s incarceration. The prosecutor usually offers shorter sentence if the suspect is cooperative.

2. The encryption algorithm used in the malware’s code should not be implemented correctly; only then the chance for successful development of deciphering tool that uses the vulnerabilities in algorithm implementation may arise.

3. Encryption algorithm used in the malware’s code is not using RSA (asymmetric cryptography), which, nowadays, happens extremely rarely..

Providing that one of the beforementioned conditions is met, only then it is possible to formulate a deciphering tool.

The steps of encrypting files by ransomware usually go as follows:

  1. The user receives an e-mail with a link or an attachment.
  2. The victim is redirected to a website with exploit kit – a tool for automatic computer infection (or the malicious document is immediately opened). Then, the malware communicates with the server controlled by the threat actor.
  3. Ransomware reproduces itself and runs the binary file. Very often it runs the vssadmin.exe process with a parameter in control of deleting Windows’ backup copies. For example:
"C:WindowsSYsWOW64cmd.exe" /C "C:WindowsSysnativevssadmin.exe" Delete Shadows /All /Quiet
  1. The files are encrypted with randomly-generated AES key. Then, the key is subject to additional encryption by the public RSA key. The private key, which is essential in decrypting, is owned by the cyber-criminal and may be revealed only after the victim pays the ransom.
  2. The malware downloads a ransom demand note and displays the alert on the desktop.

To furtherly scare the user, countdown timers are used. Usually, after 72 hours, the ransom amount doubles. In extreme cases, the decryption key is destroyed, which, theoretically, eliminates the chance for recovering the files. Practically, this alert serves merely as a scarecrow:

CTB Locker

Although no statistics have been made, we know that paying the ransom (usually) allows the victim to decrypt the files. However, there are cases where the victim is unable to recover their files after having paid the ransom (due to the offender’s inability to identify the victim). Antivirus software is more and more often removing ransomware, which deprives victim of a chance to decrypt the files. What’s more, after encrypting files attack is not necessarily finished, because ransomware can load additional malware and steal private data, intellectual property and login credentials. Victims have to be alert to dishonest companies that claim to be able to decrypt files, while they really pay ransomware creators and then charge victim with cost with extra large margin.

Ransomware is an extremely dangerous type of malware because the data loss usually has gruesome effects.

The very first seconds after decryption are crucial. Real-time prevention may either hinder the attack or bring the encrypted files back. Zone-Alarm Anti-Ransomware works “post factum”, that’s why the software needs to be used along with another tool, thus serving as an additional layer of protection. The phrase “post factum” implies that ZoneAlarm never waits for all the files to become encrypted; it blocks the attack immediately after detection: it puts the malware in the quarantine and uses the change log that allows restoring the files.

Check Point ZoneAlarm Anti-Ransomware

ZoneAlarm Anti-Ransomware was designed to restore the encrypted files. The unknown zero-day sample, which is about to start the encryption, will be detected and neutralized. Thus, the important data won’t fall into irreversible loss.

Ransomware GandCrab

The data may be quickly restored with just a couple of clicks, and the remains of the virus, including the encrypted files, may be removed safely. It is recommended to conduct a thorough antivirus scan of the computer using a reliable and effective tool:

ZoneAlarm przywracanie plików

ZoneAlarm Anti-Ransomware does not simply protect computers in a traditional way, which implies that the tool is capable of restoring all encrypted files but it won’t protect us from e.g. bank trojans. Contemporary antivirus software usually does not have file restoration functionalities. Even if they do, they’re only limited to protection of the user’s folders. It is a bit uncomfortable because such protection is not always running by default, so it does not cover the whole drive, but merely part of the most important folders (Desktop, Documents, Music, Downloads, etc.). The reviewed ZoneAlarm Anti-Ransomware developed by Check Point is one of the rare exceptions.

Naprawa plików ZoneAlarm

ZoneAlarm Anti-Ransomware is not an antivirus. It serves as a support tool to an antivirus software. It causes no conflicts, therefore, it’s safe to have it installed along with Windows Defender or some other advanced security pack.

PLiki zostały odszyfrowane

Bringing the files back to the original state takes just a moment. Plus, it doesn’t require us to have a back-up copy of the files. ZoneAlarm takes care of it during the encryption.

Lista plików odszyfrowanych

As soon as the files are back in their original folders, there is a huge mess. These directories store both restored and encrypted files. We asked the company do add a quick removal options for all encrypted files, which would save us from making more mess on the hard drive.


We’re done. ZoneAlarm Anti-Ransomware finished doing the job. All the encrypted files have been brought back and saved intact in the folders they were stored in originally.

ZoneAlarm Anti-Ransomware brings Check Point’s experience

ZoneAlarm Anti-Ransomware is developed by Check Point, that’s why it employs Threat Emulation technology of Sandblast products. We have tested the said protection technology a couple of weeks ago (Check Point’s Sand Blast for Browser solution was the only one to block all the malware samples). Complete set of Threat Emulation technology solutions is available in advanced firewalls or as a SaaS service under the name Check Point Sandblast.

ZoneAlarm honeypotZoneAlarm procesy

Malware authors can create some samples that easily bypass traditional signature products. Detection of threats based on virus definitions is an old technique for detecting known attacks. Currently, it serves more to support than to establish a core protection. In turn, the emulation of threats protects against new malicious encryption programs and this technology is used by ZoneAlarm Anti-Ransomware.

Testing ZoneAlarm Anti-Ransomware: Ransomware simulation using RanSim

RanSim is a ransomware simulator developed by KnowBe4 company, CEO of which is Kevin Mitnick, one of the legendary ex-hackers, now working on the legal side.

After the execution, RanSim simulates ransomware, but it makes no change nor damage to files stored on Windows PC, making it 100% safe in use. The tool performs 10 various tests emulating actual ransomware. You can download it here:


RanSim uses a range of techniques, including file overwrite, copying the files to new directory, file encryption and removal of the original ones – everything that imitates ransomware. We’re informed about the result within a couple of minutes.

RanSim ransomware symulator

RanSim suggests that ZoneAlarm did not protect us from ransomware because of failing all tests of simulated encryption techniques. Obviously, it’s not true – this is the effect of running RanSim. ZoneAlarm Anti-Ransomware detected unusual behavior of RanSim, thus it can bring the encrypted test files back.

Regardless of how weak the protection of the PC is, ZoneAlarm was made to protect the files that can fall victim to encryption by a commonly-known or an extremely new ransomware sample.

Ransomware in the wild (AVLab tests)

In order to conduct actual ransomware attacks, we used our Linux-based platform and virtual machines controlled by Vmware Workstation Pro. Using the API and appropriate tools, we can recreate the attack starting with downloading the sample via Chrome browser, observing the installed ZoneAlarm Anti-Ransomware and the virus, ending with the record of all log changes. We’ve automated the tests in order to obtain detailed results within a couple of days. Saved logs show the behavior of every tested virus as well as the reaction of tested software. All the necessary details of the analysis are always passed on to the vendor. Automation allows us to go through a pile of logged events in just a couple of seconds – we’ve gathered nearly 89 000 of them for 29 ransomware viruses. We adore logs. They help us in making our security tools better and allow us for catching all the irregularities. We’re happy to make our tiny contribution to the development of ZoneAlarm.

How do we know that the malware has encrypted the files?

One can see it by looking at the structure of the files and the folders in the observed folders. This log, for example, illustrates the change (encryption) of some of the desktop files:



How do we know that ZoneAlarm detected a threat?

These are the so-called triggers, meaning events registered in the OS and/or in software log changes. Others include transferring ransomware to quarantine folder and loading system registry key during the detected attack. For example:

C:ProgramDataCheckPointEndpoint SecurityRemediationQuarantine

C:ProgramDataCheckPointEndpoint SecurityRemediationWorking

C:Program Files (x86)CheckPointEndpoint SecurityRemediationQuarantineOperationsLib.dll

Where do we obtain the samples and how do we know they’re working?

The samples used in the tests come from honeypot attacks. These are traps that imitate a target and capture the malware. All of them emulate services such as SSH, HTTP, HTTPS, SMB, FTP, TFTP and actual Windows systems and mail servers. Before a sample is tested, it undergoes a thorough analysis. To perform the analysis, it’s run in the environment identical to the installed software which undergoes the tests. If the malware performs malicious actions such as file encryption or adding itself to the autostart, we’re certain that the sample is “correct”, so it joins our test collection. Ransomware samples used in the test had the following checksum:


During the test (which was conducted from 19th to 31st of December) verifying the anti-ransomware protection, we tested ZoneAlarm Anti-Ransomware with 28 samples captured in their natural habitat (in the wild). One of these was quite interesting.

Sample of the control sum c4471377f58643e454ef33f21dc65f696567bf8700ae120caac5086f85bfeace is an interesting case of a directed ransomware POC which aims to encrypt only specified catalogues, avoid honeypots and close all running software, which was a major obstacle in manual analysis and disinfection (it was impossible to download the scanner and perform the system scan, unless it was done in safe mode or from the level of rescue CD).


Detailed information about the sample, which were passed on to the manufacturer, helped them to protect the users from screen blocking. Currently, these are extremely rare cases. Maybe this is why there is no function blocking this behaviour.

The issue with Virlock sample was reported on 19th of December, and has been investigated by Check Point quite promptly. The technical details allowed the company to tweak the ZoneAlarm Anti-Ransomware software, which now is up-to-date. Additionally, the latest version of the tested product protects us from the desktop blocking threats.


ZoneAlarm Anti-Ransomware is a software that does not download the definitions of the viruses because it does not need them. It doesn’t protect the files from encryption like traditional antivirus tools do. Instead, it employs the leading technology Threat Emulation which permanently works real-time, monitoring and shielding computer from any symptoms of ransomware attack. Advanced behavioral analysis is capable of immediate detection of encryption attack and files’ restoration.

Monthly fee for ZoneAlarm Anti-Ransomware is just about 7 PLN a month. It can’t be purchased in Poland directly, however, one can buy the license with a card or using PayPal.

ZoneAlarm Anti-Ransomware is a very good anti-ransomware tool. It can be installed on both personal and business computers. This is why we issue AVLab recommendation, with one reservation. The programme protects the computer exclusively from encryption attacks, that’s why it should be used along with another tool for Windows system protection.

In a full security package ZoneAlarm Extreme Security there is even more necessary components which can detect contemporary zero-day threats and attacks. Complete list of ZoneAlarm products is available on



Share on facebook
Share on twitter
Share on linkedin
Share on email
AUTOR: Adrian Ścibor
Redaktor prowadzący i
0 komentarzy
Inline Feedbacks
View all comments




zapisz się

Bitdefender GravityZone Webinarium

Dowiedz się, co eksperci mówią o GravityZone



Klucze zabezpieczające

100% ochrony przed phishingiem

Dlaczego korzystamy z dHosting?




zapisz się




zapisz się



Klucze zabezpieczające


Dlaczego korzystamy
z dHosting?


Klucze zabezpieczające


Bitdefender GravityZone Webinarium

Dowiedz się, co eksperci mówią o GravityZone