Planning on a career of holding rich folks for ransom? You might want to reconsider. It’s just too dangerous! First, you have to kidnap them, without harming the victim or getting caught. Then you have to hide out while you negotiate the ransom terms. And chances are good that something will go wrong at the exchange of victim for cash. Nope, it’s a bad plan. You’re better off going into computer ransomware. The malware slips in unobserved, encrypts important files, and then demands your ransom in untraceable currency. The only violence may occur when the distraught victim smashes dishes in frustration. It’s true that an antivirus utility could wipe out your ransomware, just like it wipes out any other type of malware, but if it doesn’t, you win.
It’s not great to have a virus or Trojan infest your PC, wreak havoc for a few days, and then get eliminated by an antivirus update, but it’s survivable. When ransomware is involved, though, it’s a different story. Your files are already encrypted, so eliminating the perpetrator does you no good, and can even interfere with your ability to pay the ransom, should you opt to do so. Some security products include protection layers specific to ransomware, and you can also add ransomware-specific protection as a helper for your existing security.
It’s even worse when your business gets attacked by ransomware. Depending on the nature of the business, every hour of lost productivity might cost thousands of dollars, or even more. Fortunately, while ransomware attacks are on the rise, so are techniques for fighting those attacks. Here we look at tools you can use to protect yourself from ransomware.
The premise of ransomware is simple. The attacker finds a way to take something of yours and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn’t pose the same level of threat as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately, this last type is uncommon.
If you’re hit by a ransomware attack, you won’t know it at first. It doesn’t show the usual signs that you’ve got malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company’s domain. That seems to be what happened with the WannaCry ransomware attack a few years ago. If you have the slightest doubt as to the legitimacy of the email, don’t click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you’re lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker ages ago, but other groups kept the name alive, applying it to their own malicious creations.
Several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of those have since vanished, for one reason or another. For example, Acronis Ransomware Protection used to be a free standalone tool, but now it only appears as a component in the company’s backup software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page used to say “RansomOff will be back at some point.” Now there’s no mention of the product.
A few ransomware protection tools come from enterprise security companies that decided to do the world a service by offering just their ransomware component as a freebie for consumers. And quite a few of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer with us, and Cybereason RansomFree has likewise been discontinued.
Bitdefender Anti-Ransomware is gone for a more practical reason. While it existed, it took an unusual approach. A ransomware attacker that encrypted the same files twice would risk losing the ability to decrypt them, so many such programs leave some kind of marker to avoid double-dipping. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, “Move on! You’ve already been here!” This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished, leaving the CryptoDrop domain name up for grabs.
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn’t get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there’s a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus (or the ransom note) gives you a name, that’s a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.
A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around both old-school signature-based malware detection and more flexible modern techniques. It only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can’t bring back the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at encryption-related ransomware behaviors is becoming more common.
Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically, they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company’s tech support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.
During its lifespan, Cybereason’s free RansomFree utility had just one purpose: to detect and avert ransomware attacks. One very visible feature of this utility was its creation of “bait” files in locations typically targeted by ransomware. Any attempt to modify these files triggered a ransomware takedown. It also relied on other forms of behavior-based detection, but its creators were naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid? Alas, maintaining this free product for consumers proved impractical for the Enterprise-focused company.
Kaspersky Security Cloud Free and quite a few others also use behavior-based detection to take down any ransomware that gets past your regular antivirus. They don’t use “bait” files; rather they keep a close eye on how programs treat your actual documents. On detecting ransomware, they quarantine the threat.
Check Point ZoneAlarm Anti-Ransomware also uses bait files, but they’re not as visible as RansomFree’s. And it clearly uses other layers of protection. It defeated all of our real-world ransomware samples in testing, fixing any affected files and even removing the spurious ransom notes that one sample displayed.
Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn’t unlimited in size, and advises keeping all important files backed up. In our latest round of testing, Webroot successfully rolled back the actions of several real-world ransomware samples, but let a couple others slip past.
If the free Trend Micro RansomBuster detects a suspicious process attempting file encryption, it backs up the file and keeps watching. When it detects a process making multiple encryption attempts in rapid succession, it quarantines the process, notifies the user, and restores the backed-up files. In testing, this feature missed half of the real-world ransomware samples we inflicted on it. Trend Micro confirms that ransomware protection is better with the multi-layered protection of Trend Micro Antivirus+ Security.
The main purpose of Acronis Cyber Protect Home Office is backup, of course, but this product’s Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
If a brand-new ransomware program gets past Trend Micro Antivirus+ Security, it won’t be able to do much damage. The Folder Shield feature protects files in Documents and Pictures, in local folders that represent online storage for file-syncing services, and on USB drives. Avast has added a very similar feature to Avast Premium Security.
Trend Micro’s free, standalone RansomBuster just protects two selected folders, and their subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. Don’t get too attached to RansomBuster, though. Trend Micro has indicated that the standalone product is in end-of-life status and won’t be around much longer.
Trend Micro also offers a ransomware hotline that’s available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.
Panda Dome Essential and Panda Dome Complete offer a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file’s data, so it balks data-stealing Trojans too.
Testing this sort of defense is easy enough. We wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection system. We attempted to access and modify protected files. And in almost every case we verified that the defense worked.
The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis Cyber Protect Home Office actively works to detect and prevent ransomware attack. We expect to see similar features in other backup tools.
CryptoDrop Anti-Ransomware maintained copies of your sensitive files in a secure folder that’s not visible to any other processes. Alas, CryptoDrop has vanished.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that turn out to be ransomware.
NeuShield Data Sentinel takes an unusual approach. Given that ransomware must announce its presence to request the ransom, it makes no attempt to detect ransomware activity. Rather, it virtualizes file system changes to protected folders, and lets you reverse all changes after an attack. To get rid of the ransomware itself, it rolls back the system to the previous day’s state. In testing, it proved effective, though you could lose one day’s changes to your files.
Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include some kind of check to make sure they don’t attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.
Bitdefender Anti-Ransomware, during its existence, very specifically prevented infestation by TeslaCrypt, BTC-Locker, Locky, and that first edition of Petya. It had no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly couldn’t help against a brand-new strain, the way a behavior-based detection system can. These limitations, along with the ever-changing nature of malware, caused Bitdefender to withdraw the tool, relying instead on the powerful ransomware protection of its full-scale antivirus.
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.
In addition, ransomware samples are tough to deal with. For safety, we run them in a virtual machine with no connection to the internet or network. Some won’t run at all in a virtual machine. Others do nothing without an internet connection. And they’re just plain dangerous! When analyzing a new sample, determining whether to add it to the collection, we keep a link open to a log folder on the virtual machine host. Twice now we’ve had a ransomware sample reach out and start encrypting those logs.
KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but we don’t treat a low score as a minus. Some behavior-based systems such as RansomFree don’t detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.
This article looks specifically at ransomware protection solutions that are available to consumers. There’s no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.
CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. We can’t recommend this tool in its current form.
We’ve also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Bitdefender GravityZone Elite and Sophos Intercept X, for example, are beyond the scope of our reviews, worthy though these services may be.
Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware is our top choice for ransomware-specific security protection. It detected all of our ransomware samples, including the disk-encrypting Petya and repaired all files damaged by the ransomware. If your budget doesn’t stretch to paying for a ransomware protection add-on, consider switching to an antivirus or security suite that includes a ransomware-specific protection layer.