Why You Need Ransomware Protection
Your antivirus or security suite detects and defends against almost every malware attack. It easily detects known threats and uses heuristic signatures and behavior-based detection to get a lead on threats similar to ones it already knows. But every now and then the malware coders come up with something entirely new, something different enough that it gets past existing detection technology. Even when that does happen, there’s typically a fix within a few days, or even hours.
It’s not great to have a virus or Trojan infest your PC, wreak havoc for a few days, and then get eliminated by an antivirus update, but it’s survivable. When ransomware is involved, though, it’s a different story. Your files are already encrypted, so eliminating the perpetrator does you no good, and can even interfere with your ability to pay the ransom, should you opt to do so. Some security products are starting to include protection layers specific to ransomware, and you can also add ransomware-specific protection as a helper for your existing security.
It’s even worse when your business gets attacked by ransomware. Depending on the nature of the business, every hour of lost productivity might cost thousands of dollars, or even more. Fortunately, while ransomware attacks are on the rise, so are techniques for fighting those attacks. Here we look at tools you can use to protect yourself from ransomware.
What Is Ransomware, and How Do You Get It?
The premise of ransomware is simple. The attacker finds a way to take something of yours, and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn’t pose the same level of threat as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately this last type is uncommon.
If you’re hit by a ransomware attack, you won’t know it at first. It doesn’t show the usual signs that you’ve got malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company’s domain. That seems to be what happened with the WannaCry ransomware attack. If you have the slightest doubt as to the legitimacy of the email, don’t click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you’re lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.
CryptoLocker and Other Encrypting Malware
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn’t get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there’s a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that’s a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.
A well-designed antivirusutility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection. And it only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can’t bring back the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at ransomware behaviors is becoming more common.
Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suitesfoil ransomware attacks by denying unauthorized access to these locations. Typically, they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company’s tech support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.
Detecting Ransomware Behavior
During its lifespan, Cybereason’s free RansomFree utility had just one purpose: to detect and avert ransomware attacks. One very visible feature of this utility was its creation of “bait” files in locations typically targeted by ransomware. Any attempt to modify these files triggered a ransomware takedown. It also relied on other forms of behavior-based detection, but its creators were naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid? Alas, maintaining this free product for consumers proved impractical for the enterpise-focused company.
Kaspersky Security Cloud Free, Heilig Defense RansomOff, and quite a few others also use behavior-based detection to take down any ransomware that gets past your regular antivirus. They don’t use “bait” files; rather they keep a close eye on how programs treat your actual documents. On detecting ransomware, they quarantine the threat.
Check Point ZoneAlarm Anti-Ransomware also used bait files, but they’re not as visible as RansomFree’s. And it clearly uses other layers of protection. It defeated all of our real-world ransomware samples in testing, fixing any affected files and even removing the spurious ransom notes that one sample displayed.
Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect <em>all</em> types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn’t unlimited in size, and advises keeping all important files backed up.
If the free Trend Micro RansomBuster detects a suspicious process attempting file encryption, it backs up the file and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. In testing, this feature missed half of the real-world ransomware samples we inflicted on it. Trend Micro confirms that ransomware protection is better with the multi-layered protection of Trend Micro Antivirus+ Security.
The main purpose of Acronis True Image is backup, of course, but the Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
You can also get that same Active Protection for free, in the form of Acronis Ransomware Protection. This utility works alongside your antivirus as another layer of protection against ransomware, and includes 5GB of storage for backups of your most important files. Acronis Ransomware Protection can restore files damaged by ransomware from a local cache; the online backup is yet another line of defense.
Preventing Unauthorized Access
If a brand-new ransomware program gets past Bitdefender Antivirus Plus, it won’t be able to do much damage. Bitdefender blocks attempts by any unauthorized program to modify, delete, or create files in a protected folder. And the list of protected folders includes Documents, Desktop, Pictures, Music, and Videos, as well as folders on file-syncing services such as OneDrive, Dropbox, Box, and Google Drive. Avast has added a very similar feature to Avast Internet Security and Avast Premier.
In Trend Micro’s antivirus, the Folder Shield feature protects files in Documents and Pictures, in local folders that represent online storage, and on USB drives. The free, standalone RansomBuster just protects two selected folders, and their subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. In addition, the company offers a ransomware hotline that’s available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.
Panda Dome Essential and Panda Dome Complete offer a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file’s data, so it balks data-stealing Trojans too.
Testing this sort of defense is easy enough. We wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection. We attempted to access and modify protected files. And in almost every case we verified that the defense worked.
The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attack. We expect to see similar features in other backup tools.
Acronis Ransomware Protection can restore files damaged by ransomware from a local cache. Like its big brother True Image, it offers online backup as another option for recovery, but just 5GB of storage. CryptoDrop Anti-Ransomware maintained copies of your sensitive files in a secure folder that’s not visible to any other processes. Alas, while the CryptoDrop website still exists, it has become a strange mix of ads and leftover content.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that turn out to be ransomware.
With RansomOff, you get a veritable smorgasbord of protection. It blocks unauthorized file access, detects ransomware behavior, and makes just-in-time backups in case recovery is needed. The problem is, all these choices make for a product that’s a bit difficult to use and understand.
Newcomer NeuShield Data Sentinel takes an unusual approach. Given that ransomware must announce its presence to request the ransom, it makes no attempt to detect ransomware activity. Rather, it virtualizes file system changes to protected folders, and lets you reverse all changes after an attack. It also leverages the built-in System Restore technology to get rid of the ransomware itself. In testing, it proved effective, though you could lose one day’s changes to your files.
Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include some kind of check to make sure they don’t attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.
Bitdefender Anti-Ransomware, during its existence, very specifically prevented infestation by TeslaCrypt, BTC-Locker, Locky, and that first edition of Petya. It had no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly couldn’t help against a brand-new strain, the way a behavior-based detection system can. These limitations, along with the ever-changing nature of malware, caused Bitdefender to withdraw the tool, relying instead on the powerful ransomware protection of its full-scale antivirus.
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.
In addition, ransomware samples are tough to deal with. For safety, we run them in a virtual machine with no connection to the internet or network. Some won’t run at all in a virtual machine. Others do nothing without an internet connection. And they’re just plain dangerous! When analyzing a new sample, determining whether to add it to the collection, we keep a link open to a log folder on the virtual machine host. Twice now we’ve had a ransomware sample reach out and start encrypting those logs.
KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but we don’t treat a low score as a minus. Some behavior-based systems such as RansomFree don’t detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.
What’s Not Here
This article looks specifically at ransomware protection solutions that are available to consumers. There’s no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.
CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. We can’t recommend this tool in its current form.
We’ve also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Bitdefender GravityZone Eliteand Sophos Intercept X, for example, are beyond the scope of our reviews, worthy though these services may be.
Acronis True Image provides dandy ransomwware protection and recovery, but at heart it’s a backup tool. We gave its place in the chart at top to its ransomware-focused sibling, Acronis Ransomware Protection.
We really liked CyberSight RansomStopper, enough to make it an Editors’ Choice. However, the company has vanished without a trace, and our attempts to find out more have hit a wall. You can still find the product on sites that host and bundle free software, but given the disappearance of the company itself, we can no longer recommend the product. Bitdefender Anti-Ransomware, CryptoDrop Anti-Ransomware, and Cybereason RansomFree have also fallen by the wayside.
An Ounce of Prevention
Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware is our top choice for ransomware-specific security protection. It detected all of our ransomware samples, including the disk-encrypting Petya and repaired all files damaged by the ransomware. If your budget doesn’t stretch to paying for a ransomware protection add-on, consider a free solution like Acronis Ransomware Protection.
Bitdefender Antivirus Plus
Pros: Top scores from independent labs.
Best score in our hands-on antiphishing test.
Very good malicious URL blocking.
Many relevant bonus features.
Cons: So-so score in our hands-on malware blocking test.
Bottom Line: The labs give Bitdefender Antivirus Plus top marks, and it aces some of our own hands-on tests.
Beyond that, it adds a wealth of security features that almost qualify it as a security suite.
It’s a winner.
Check Point ZoneAlarm Anti-Ransomware
Pros: Successfully protected against real-world ransomware samples and cleaned up all traces of ransomware in testing.
Very easy to use.
Cons: Not free like some competing products.
In one test, it reported failure even though it succeeded.
Bottom Line: Check Point ZoneAlarm Anti-Ransomware is the most effective ransomware-specific security tool we’ve seen.
In testing, it showed complete success against all of our real-world samples.
Pros: Perfect or near-perfect scores from four independent testing labs.
Perfect score in our phishing protection test.
Good scores in our malware-blocking and malicious URL blocking tests.
Support for Android and iOS.
Cons: No direct tech support.
Bottom Line: Kaspersky Security Cloud Free offers full-scale malware protection and even some suite-level features. It gets superb scores from the independent labs, and it won’t cost you a penny.
Acronis Ransomware Protection
Pros: Protects against most ransomware samples, including Petya.
Recovers affected files.
Detected 10 simulated ransomware attacks in our tests.
Includes 5GB of hosted online backup.
Cons: Missed one real-world sample.
Bottom Line: If your antivirus misses a zero-day ransomware attack, you’re in big trouble.
The free Acronis Ransomware Protection offers another layer of protection, plus 5GB of online backup storage.
NeuShield Data Sentinel
Pros: Reverses changes made by file-encrypting ransomware. Blocks actions of disk-encrypting ransomware. Remote recovery breaks hold of screen-locking ransomware.
Cons: Revert function discards changes made on the current day. One-Click Recovery likewise recovers to yesterday. Expensive.
Bottom Line: Any ransomware detection technique can fail, so NeuShield Data Sentinel doesn’t attempt detection. Instead, it offers multiple techniques to recover from ransomware, techniques that performed well in testing.
Pros: Good score in our malware protection test. Behavioral detection successfully blocked ransomware. Cloud Console allows full remote management. Surfing protection is browser independent. New browser extension detects phishing.
Cons: Almost no scores from independent labs. Phishing protection not for all browsers. Cloud Console may be too complicated for some.
Bottom Line: Emsisoft Anti-Malware effectively handles the basic tasks of malware protection, including ransomware, though it doesn’t score at the top in testing. Its new Cloud Console offers comprehensive remote management to tech-savvy users.
Sophos Home Premium
Pros: Excellent antiphishing score.
Very good malicious URL blocking score.
Protects against ransomware, keyloggers, and exploits.
Remote management for up to 10 PCs or Macs.
Cons: Lab test results not current.
Advanced features require uncommon tech expertise.
Limited parental control and webcam protection.
Bottom Line: The new Sophos Home Premium security suite brings consumers powerful protection technology forged in the company’s Enterprise-level products, including ransomware protection, keylogger blocking, exploit mitigation, and more.
Heilig Defense RansomOff
Pros: Detected all real-world ransomware samples in testing.
Includes HIPS-Lite component to detect suspicious activities.
Can limit file access to authorized programs.
Can lock out all but whitelisted apps.
Restores files from just-in-time backup.
Cons: One ransomware sample encrypted files despite detection.
HIPS-Lite terminated both malicious and legitimate programs.
File access protection unnecessarily complex.
Whitelist feature too complex for many users.
Bottom Line: Whereas most ransomware protection is extremely simple, Heilig Defense RansomOff stands out for its complexity.
It does a decent job in testing, but the average user will probably want more streamlined protection.
Panda Dome Advanced
Pros: Slick, attractive user interface.
Parental content filter.
Effective ransomware protection.
Includes firewall, VPN, USB vaccination.
Supports Windows, macOS, Android.
Cons: Dismal protection against dangerous and fraudulent websites.
So-so score in our malware protection test.
Expensive, especially on macOS and Android.
Bottom Line: Panda Dome Advanced adds parental control and ransomware protection to the features of Panda Dome Essential.
It handles ransomware that slips past the entry-level product, but still has some of the lowest test scores.
Trend Micro RansomBuster
Pros: Folder Shield blocks unauthorized access to protected documents.
Detects encrypting ransomware behavior in any folder.
Recovers any files that were encrypted before detection.
Cons: Folder Shield limited to two folders.
In testing, behavior-based detection only caught half of the real-world ransomware samples.
Bottom Line: It’s very good of Trend Micro to make RansomBuster available for free, and its Folder Shield successfully prevents unauthorized changes to your documents.
However, the behavior-based detection system needs work.
More Inside PCMag.com
About the Author