The Best Ransomware Protection for 2026
Compare Specs
Deeper Dive: Our Top Tested Picks
EDITORS’ NOTE
December 17, 2025: With this update, our lineup of recommended ransomware protection tools remains unchanged. The existing picks have been vetted for currency and availability.
- Excellent scores in independent lab tests
- Very good defense against phishing fraud
- Multi-layered ransomware protection
- Isolated browser for banking safety
- Prevents advertisers from tracking you
- Many security-centered bonus features
- Protection for Windows, macOS, Android, and iOS
- Poor score in hands-on malware blocking test
- Mediocre score in hands-on malicious URL defense test
- Full VPN access requires a separate subscription
Bitdefender Antivirus Plus is a top choice for general-purpose malware protection, consistently earning excellent scores from independent testing labs and achieving top scores in most of our hands-on tests. Among the many security bonuses that justify the “Plus” in its name is a multi-layered system for detecting and remediating ransomware. If the behavior-based detection system gets any hint of a problem, the remediation system makes secure backups of important files. Bitdefender’s real-time malware protection wiped out all my ransomware samples, so I turned off that protective component and tried again. In hands-on testing with from-the-wild samples, Bitdefender detected every single file-encrypting ransomware threat.
Application type: Bitdefender AntiVirus Plus is a comprehensive antivirus app that includes numerous bonus features, making it more feature-rich than some security suites. Ransomware protection is just one of its many capabilities, but it devotes serious energy to ransomware defense.
Pricing and pricing tiers: Bitdefender’s pricing is simple. You pay $49.99 per year for a single license or $69.99 per year for three licenses. Those prices are slightly higher than the average antivirus, but you get more features than the average app typically supplies.
Ransomware-fighting features: Bitdefender’s ransomware protection has evolved over the years. At one time, a standalone anti-ransomware tool worked by “vaccinating” PCs, meaning it coopted the signals that ransomware apps use to avoid infecting the same PC twice. It also went through a period of protecting important files by banning all unauthorized changes. The current version drops that permission-based protection in favor of a multi-layer approach. Advanced Threat Defense detects and blocks ransomware based on its behavior. Network Threat Protection blocks exploits used by ransomware to weasel into your system. And if any files get encrypted before behavioral detection kills off the ransomware, Ransomware Remediation recovers them.
Hands-on testing success: To test Bitdefender’s ransomware prowess, I disabled all other antivirus features and released a dozen real-world ransomware samples. It quickly caught all but one of that collection, terminating and quarantining the app while preventing any harm. The last sample slipped past Bitdefender’s behavioral detection. Of course, if I hadn’t turned off all the other protective layers for this test, they would have wiped out all the samples on sight.
People who want comprehensive protection: You know that ransomware can cause more trouble than most kinds of malware, and you want to keep it far, far from your PC. At the same time, you don’t want to clutter your computer with hordes of one-off apps, each with a single purpose. With Bitdefender, you get your ransomware protection in conjunction with a comprehensive antivirus app that comes with numerous bonus features, making it feel more like a security suite.
Protection Type
Antivirus
Learn More
- Successfully defends against real-world ransomware attacks
- Restores files affected by ransomware
- Includes some antivirus features
- Keylogger protection
- Routinely allows (and then reverses) file encryption
- Keylogger protection is limited
Six or seven years ago, dedicated ransomware protection seemed like an up-and-coming security category. At one point, ZoneAlarm Anti-Ransomware was one of almost a dozen such products. Fast forward to today, and most competitors are gone, but ZoneAlarm soldiers on. Speaking of soldiering on, part of ZoneAlarm’s behavioral detection strategy involves distributing “bait” files throughout your system, hoping they’ll absorb any ransomware attacks instead of your valuable files. In testing, ZoneAlarm detected all the file-encrypting ransomware samples and recovered almost every affected file.
Application type: As the name suggests, ZoneAlarm Anti-Ransomware is an app strictly devoted to detecting and eliminating ransomware attacks. It does include a modicum of antivirus features, but not enough to replace your regular antivirus.
Pricing and pricing tiers: At $34.95 per year, ZoneAlarm costs almost as much as a second antivirus app. It does offer significant volume discounts. For $44.95, you can install it on three PCs, and bumping the price to $54.95 gets you five licenses. If you really have a lot of PCs to protect, you can protect 10 for $94.95, less than $10 per device.
Ransomware-fighting features: As noted, ZoneAlarm includes some antivirus features, and the antivirus component might detect and eliminate known ransomware. But its real power lies in behavior-based detection that kicks in when it sees a program acting like ransomware. ZoneAlarm sprinkles “bait files” in your computer’s busiest folders, in hopes that any ransomware attack will take the bait. However, if a ransomware attack encrypts some important files before triggering behavioral detection, ZoneAlarm restores those files after resolving the issue.
Hands-on testing success: Challenged with a dozen real-world ransomware samples, ZoneAlarm detected every single one. In each case, it reported a list of files affected by the ransomware and offered to restore them. And in every case but one, it succeeded with its restoration. Even when it didn’t succeed completely, the affected files were just five bait files and three unimportant ancillary Windows files.
People who just want ransomware protection: When you need an app to perform a specific task on your PC, you look for one that focuses strictly on that task and performs it brilliantly. Yes, you have an antivirus or perhaps a security suite, and you’re happy with it. But you’re happy to enhance your protection with the single-purpose ZoneAlarm.
Protection Type
Ransomware Protection
Learn More
- Reverses changes made by file-encrypting ransomware
- Proved effective in hands-on testing
- Blocks actions of disk-encrypting ransomware
- Remote recovery breaks hold of screen-locking ransomware
- Multi-factor authentication available for settings
- Recovery discards changes made on the current day
- Some low-importance files not recovered
Systems that rely on detecting ransomware behavior can potentially be fooled by the latest, cleverest attacks, leaving you defenseless. NeuShield Data Sentinel doesn’t even try to detect an attack, since the ransomware will announce itself with a ransom note. This unusual product focuses on recovering from a ransomware attack. Its One-Click Restore resets your Windows installation to a safe, malware-free configuration on reboot. After it wipes out the threat, you revert protected files, such as documents and pictures, to a clean version saved by the program. It’s true that One-Click Restore eliminates any files installed today along with the ransomware, and Revert may lose changes and edits that you made today. But losing a few changes is a lot less worrisome than losing all your important files. Note that Data Sentinel includes special handling for disk-encrypting ransomware, and its remote control console can handle screen locker ransomware.
Application type: NeuShield Data Sentinel has one purpose—to restore your system to normal after a ransomware attack. It doesn’t attempt to detect ransomware activity, since the ransomware will announce itself. Since its recovery involves restoring the system and individual files to earlier versions, you may lose any changes made since the backup was created.
Pricing and pricing tiers: At just $23.99 per year, NeuShield Data Sentinel costs less than most of its competitors. That’s for one license—you pay $59.99 for three and $79.99 for five licenses.
Ransomware-fighting features: NeuShield Data Sentinel doesn’t even try to detect ransomware. After all, the ransomware will announce itself with a ransom demand. When you encounter evidence of ransomware, you engage NeuShield to restore the system state to its pre-ransomware attack state. Its One-Click Restore performs the necessary reset of programs and settings, and a feature called Mirror Shielding helps recover clean copies of files that have been trashed by the ransomware. With this system, it’s possible you might lose the very latest changes to a file, but that’s better than losing all your files. NeuShield also supports remote management, especially handy if a screen-locker ransomware app has locked you out of local PC control.
Hands-on testing success: NeuShield Data Sentinel didn’t detect any of my ransomware samples and didn’t prevent them from encrypting my test files. That’s not how it works. Each of my dozen ransomware samples ran to completion, encrypting files and demanding ransom. In each case, I used One-Click Restore to revert the system, which eliminated the malware, along with any other recently-installed programs. And I used the Revert feature to restore data files. NeuShield succeeded in every case, though, as noted, the latest changes to some documents were lost.
People who want dedicated ransomware protection: You like to use apps that do one thing well. You leave antivirus protection to the antivirus, firewall challenges to the firewall, passwords to the password manager, and ransomware protection to a dedicated anti-ransomware app, like NeuShield.
Remote controllers: When your friends and relatives have tech problems, they come to you. You could drive across town to fix your uncle’s malware problem, but it’s so much easier if you can manage the task remotely. Once you’ve got NeuShield installed on all their systems, you have full remote control. You can view the status of each installation and remotely trigger important features, such as One-Click Restore. In addition, being able to control the app remotely means you can still recover if a screen-locker ransomware cuts off your local access to the PC.
Protection Type
Ransomware Protection
Learn More
- Excellent scores in some of our hands-on tests
- Effective ransomware protection
- Remotely manages up to 10 PCs or Macs
- Inexpensive
- Limited results from testing labs
- Ineffective parental control
- No longer offers mobile management or keylogger protection
- Advanced features require uncommon tech expertise
In the world of enterprise security, users typically don’t control their antivirus—it’s all managed remotely by the IT Security team. Sophos Home Premium provides this level of remote control to consumers. You can install it on PCs or Macs belonging to your friends and family and handle all configuration and problems remotely. No more driving across town! Best of all, this versatile and inexpensive product offers strong protection against ransomware. Even with regular antivirus protection disabled, the ransomware behavior detection system caught a dozen real-world ransomware samples.
Application type: Every full-powered antivirus should eliminate ransomware just as it does any other kind of malware. Some, like Sophos Home Premium, enhance their base-level malware fighting with additional ransomware-specific protection layers.
Pricing and pricing tiers: Antivirus apps typically have a base price for a single license, accompanied by volume discount tiers for multiple licenses. Not Sophos Home Premium. You pay a single price for your Sophos subscription, $59.99 per year. And that price lets you install antivirus protection on up to 10 devices.
Ransomware-fighting features: As noted, Sophos Home Premium is a complete antivirus solution. The regular antivirus will wipe out any known ransomware files. If any get past that guardian, a behavior-based ransomware detection component jumps in to save the day.
Hands-on testing success: Sophos Home Premium effectively distinguishes its ransomware component from the rest of the antivirus features, making it easy for me to disable everything except ransomware protection. I released a dozen real-world ransomware samples to test it, reverting the test virtual machine to its prior state after each test. The ransomware protection layer detected every sample based on its behavior and eliminated them before they could harm even a single data file.
People who want comprehensive protection: Sure, dedicated ransomware detection and protection is important, but you’re not interested in loading up all your PCs with a bunch of separate programs for separate problems. Sophos Home Premium integrates ransomware protection with its other malware-fighting components, and testing shows that it works well.
Remote controllers: Your beloved grandma thinks she’s been hacked, or has a virus, or something. So you drive across town to sort out the problem. Or do you? Your Sophos Home Premium account gives you 10 licenses. So you use those licenses to install it for all your friends and family. Now, when a problem arises, you don’t even have to get out of your easy chair. Just log in remotely and take care of it.
Protection Type
Antivirus
Learn More
- Small footprint on disk
- Aced our hands-on tests
- Can remediate ransomware damage
- Includes LastPass password manager
- Advanced features
- Limited lab test results
- Advanced features require uncommon expertise
Webroot Essentials doesn’t work like most antivirus tools. Oh, it does wipe out malicious programs that it recognizes, and it sends known, valid programs on their way with a pat on the head. However, when it encounters an unknown program, it virtualizes and journals any system changes made by the program, prevents any irreversible actions (such as sending your data to an unknown server), and sends telemetry to the cloud-based Webroot brain. If the cloud returns a guilty verdict, Webroot removes the malicious program and reverses all its actions. That includes undoing ransomware’s encryption actions, thereby restoring the original, undamaged files.
Application type: Webroot Essentials is an antivirus app that eliminates any malware it recognizes, flags known good programs as trusted, and closely monitors any unknowns. While it waits for a verdict from its brain in the cloud, it isolates the unknown program, preventing it from making any permanent changes. If the verdict comes back guilty, it wipes out the malware and rolls back all the changes. That includes rolling back ransomware activity and thereby restoring your files.
Pricing and pricing tiers: Webroot’s pricing precisely matches Bitdefender’s, to a point. You pay $49.99 per year for a single license of either, and $69.99 for a three-license subscription. Webroot takes the volume discount one step further, offering a five-license subscription for $89.99.
Ransomware-fighting features: As noted, when Webroot sees an unknown file executing it puts that program in a bubble, virtualizing all changes to the file system and preventing irreversible actions like sending data to a remote server. It also sends information about the program to its cloud service, which eventually returns a verdict. If it gives a thumbs down, Webroot eliminates the offending program and reverses all of its actions. That includes ransomware actions like encrypting a file—reversing that action restores the unmodified file.
Hands-on testing success: Webroot doesn’t separate its ransomware protection from the overall antivirus, so there was no way for me to shut down other layers and test only ransomware protection. In past years, I’ve been able to hand-modify the malware samples, ensuring they’ve never been seen by Webroot’s analysis system. This time, the basic antivirus wiped out even my hand-tweaked versions. I have to assume it still works just as well against ransomware as it did when I last tested it.
People who want more than just ransomware protection: You’ve heard that because ransomware has such dire consequences, you need separate protection, over and above what your antivirus provides. And then you think, “No, I just need a better antivirus.” Webroot’s ransomware protection is integrated with its comprehensive malware protection. And the remember-and-rollback system it uses to prevent malware from doing any permanent damage works just fine against ransomware.
Protection Type
Antivirus
Learn More
- Many local and cloud backup options
- Much improved browser performance
- Full disk image backup and restore
- Includes file syncing
- Protects against ransomware and malicious URLs
- Try&Decide feature doesn’t work well on Windows
- Cloud sync requires installing True Image on at least two PCs
- Confusing interface
In a very real way, backup is the ultimate security, and backup is the main function of Acronis True Image. Ransomware creators know this, and some design their nasty programs to attack both local files and backups—but Acronis actively prevents such attacks. Additionally, it includes its own malware and ransomware protection components. Acronis isn’t an antivirus product, so it’s no surprise that the antivirus testing labs don’t include it. Its antivirus component earned a range of scores in my hands-on tests, from mediocre to excellent. To test ransomware protection, I disabled the usual real-time antivirus before releasing the ransomware samples. The ransomware-specific detection layer caught all the samples and restored all affected files.
Application type: Backup is the ultimate security—even if ransomware turns your files to gibberish, you can restore them from backup after dealing with the infestation. Acronis True Image is a backup program that offers protection against malware, including ransomware, built in.
Pricing and pricing tiers: Acronis True Image comes in three feature tiers, Essential, Advanced, and Premium, with yearly subscriptions of $49.99, $72.99, and $124.99, respectively. All three have ransomware protection and local backup; Advanced and Premium also include cloud backup. You can also choose three-license or five-license subscriptions at each level. For example, you’d pay $79.99 for three Essential licenses, or $209.99 for five Premium licenses. At every level, ransomware protection is included.
Ransomware-fighting features: While it’s a backup program at core, Acronis includes behavior-based malware detection. That detection can’t operate until the attacker performs some suspicious actions, which can mean that some files get encrypted before detection kicks in. After it wipes out the ransomware, Acronis should be able to restore those files from local copies. If somehow it doesn’t fully succeed, well, you have a complete backup, so you can just manually restore any needed files.
Hands-on testing success: It’s been a few years since I put ransomware protection by Acronis to the test. When I did, it proved effective, successfully blocking all but one of my samples. At that time, I was using a ransomware simulator for additional testing—Acronis blocked all 10 simulated ransomware attacks.
People who want comprehensive protection: Some folks like to collect purpose-driven apps—such as antivirus, password managers, and VPNs—each in its own separate category. You figure any app should do at least double duty, and triple is better. Acronis True Image is billed as a backup app, and it does that job very well. However, it also includes antivirus elements, as well as features specifically designed to detect ransomware and reverse any ransomware damage.
Backup believers: When it comes to computer security, you’re a suspenders and belt type. Yes, you’ve got Acronis protecting you from ransomware and using local backups to recover any damaged files. But what if it fails? Well, you do have to eliminate the ransomware program somehow, but once you’ve slain the beast, you’re golden. All your files are nicely stored in your cloud backup, just waiting for easy recovery.
Protection Type
Local Backup
Learn More
- Restores your PC to a clean, malware-free state on reboot
- Exempts personal folders from being wiped
- Restores files encrypted by ransomware
- Basic antivirus included
- Inexpensive
- Didn’t recover all files in testing
- Defeated by one real-world ransomware sample
- Malware can act freely until eliminated by reboot
- Limited Antivirus features
With Data443 Ransomware Remediation Manager, every reboot returns your computer to a safe, ransomware-free state. If it detects active ransomware, it immediately reboots the system. It maintains protected copies of files in special folders such as Documents and Pictures, using them to remediate any damage done by the ransomware before the fateful reboot. It detected and eliminated all my real-world ransomware samples in testing, though file recovery wasn’t always perfect. And at $8.99 per year, it has the lowest price of any product in this roundup.
Application type: After a ransomware attack ruins your day, you just wish you could go back to yesterday. That is exactly what Data443 Ransomware Recovery Manager does. It can restore your system to a previous clean state upon reboot, with special handling for documents to prevent loss of your latest changes.
Pricing and pricing tiers: Many security apps offer month-by-month subscriptions, with a significant discount for those who pay for a full year up-front. Data443’s price of $8.99 appears to be a typical monthly subscription, but it’s not. That’s your yearly cost to use this app. It’s not free, but it’s reasonably priced.
Ransomware-fighting features: At the first sign of a ransomware attack, Data443 Ransomware Recovery Manager reboots your PC and restores it to an earlier known clean state. That does mean that any programs you’ve installed or updated get reset to a previous state, so you need to turn off protection while installing or updating anything new. Of course, you don’t want it to throw away the documents you’ve been working on, so it includes special handling for files in folders such as Documents and Pictures.
Hands-on testing success: When I challenged Data443 with real-world ransomware samples, it detected all of them. Somewhat shockingly, its response to a detection is to reboot immediately, reverting the system to a ransomware-free earlier state. The app performs some special maneuvers to ensure you don’t lose the data files you’ve been working on when it performs the big reset. In testing, it wasn’t always successful at recovering the most recent changes.
Budget-conscious users: Free ransomware protection apps used to abound, but they’ve all fallen by the wayside. You’d love a free solution, but failing that, Data443 Ransomware Recovery Manager is closer to free than any of its competitors, at just $8.99 per year.
Minimalists: When you buy an app, you want it to perform its task with expertise. If an app has dozens of features, you suspect quantity has overtaken quality. Data443 does just one thing—wipe out ransomware and its effects.
Protection Type
Ransomware Protection
Learn More
Get Our Best Stories!
All the Latest Tech, Tested by Our Experts
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Buying Guide: The Best Ransomware Protection for 2026
What Isn’t Here?
This article looks specifically at ransomware protection solutions available to consumers. There’s no point in including free, one-off decryption tools since the tool you need depends on which ransomware has encrypted your files. It’s better to prevent the attack in the first place.
CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples managed to slip past its detection. I can’t recommend this tool in its current form.
We’ve also omitted ransomware solutions for big business, which typically require central management or a dedicated server. Bitdefender GravityZone Elite and Sophos Intercept X, for example, are beyond the scope of my reviews, worthy though these services may be.
It’s also worth noting that several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of those have since vanished for one reason or another. For example, Acronis Ransomware Protection was previously a free standalone tool, but it is now only available as a component within the company’s Acronis True Image software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page used to say, “RansomOff will be back at some point.” Now, there’s no mention of the product.
Trend Micro telegraphed the end of life for its free, standalone RansomBuster product more than a year in advance. RansomBuster is no longer a separate product. However, its ransomware-fighting skills live on, embedded in Trend Micro’s full-blown antivirus utility.
A few ransomware protection tools come from enterprise security companies that have decided to do the world a service by offering their ransomware component for free to consumers. And quite a few of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer available, and Cybereason RansomFree has also been discontinued.
Bitdefender Anti-Ransomware is no longer available for a more practical reason. While it existed, it took an unusual approach. A ransomware attack that encrypts the same files twice would risk losing the ability to decrypt them, so many such programs leave a marker to avoid double encryption. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, “Move on! You’ve already been here!” This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished, leaving the CryptoDrop domain name up for grabs.
How Does a Ransomware Attack Work?
The idea behind ransomware attacks is simple. The attacker finds a way to take something of yours and demands payment for its return. Encrypting ransomware—the most common type—takes away access to your important documents by replacing them with encrypted copies. Pay the ransom, and you receive the key to decrypt those documents (hopefully). Another type of ransomware denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat and poses a lower threat level than encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately, this last type is uncommon.
If a ransomware attack hits you, you won’t know it at first. It doesn’t exhibit the typical signs of malware. Encrypting ransomware operates in the background, aiming to complete its malicious mission before you become aware of its presence. Once it’s finished with the job, it appears on your screen, displaying instructions on how to pay the ransom and retrieve your files. Naturally, the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, it often occurs through an infected PDF or Office document sent to you via an email that appears legitimate. It may even seem to come from an address within your company’s domain. That seems to have happened with the WannaCry ransomware attack some years ago. If you have the slightest doubt as to the legitimacy of the email, don’t click the link. Report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. For example, a drive-by download hosted by a malicious advertisement on an otherwise safe site. You can even contract this scourge by inserting a maliciously programmed USB drive into your PC, although this is less common. If you’re lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. An international consortium of law enforcement and security agencies dismantled the group behind CryptoLocker years ago. Still, other groups kept the name alive, applying it to their own malicious creations.
(Credit: PCMag)
Can You Recover Ransomware Files?
Even if ransomware gets past your antivirus, chances are good that within a short while, an antivirus update will clear the attacker from your system. The problem, of course, is that removing the ransomware itself doesn’t restore your files. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, depending on which ransomware strain encrypted your files, there’s a faint chance of recovery. If your antivirus software (or the ransom note) provides you with a name, that’s a great help. Many antivirus vendors, including Trend Micro and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility requires the unencrypted original of a single encrypted file to rectify the issue. In other cases, such as TeslaCrypt, a master decryption key is available.
The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attacks.
(Credit: PCMag)
CryptoDrop Anti-Ransomware maintained copies of your sensitive files in a secure folder that was not visible to other processes. Alas, CryptoDrop has vanished.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file to prevent data loss. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that are later identified as ransomware.
NeuShield Data Sentinel takes an unusual approach. Given that ransomware must announce its presence to request the ransom, it makes no attempt to detect ransomware activity. Rather, it virtualizes file system changes to protected folders and lets you reverse all changes after an attack. To remove the ransomware itself, it rolls back the system to its previous state. In testing, it proved effective, though you could lose one day’s changes to your files.
Data443 Ransomware Remediation Manager also uses virtualization to keep ransomware from making permanent changes. Just reboot, and the ransomware is gone. Of course, you don’t want to lose your own work, so Data443 maintains protected copies of documents, images, and other files. In testing, it detected and eliminated all active ransomware samples, but didn’t always recover files perfectly.
However, the best defense against ransomware is to prevent it from taking your files hostage. There are several different approaches to accomplish this goal.
What Are the Best Strategies for Fighting Ransomware?
A well-designed antivirus utility should eliminate ransomware on sight, but ransomware designers are tricky. They work hard to circumvent old-school signature-based malware detection and adopt more flexible modern techniques. It only takes one slip-up by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus receives an update that removes the ransomware, it cannot restore the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. Behavior-based detection, specifically aimed at encryption-related ransomware behaviors, is becoming more common.
Ransomware typically targets files stored in common locations, such as the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically, they pre-authorize known good programs such as word processors and spreadsheets. When an unknown program attempts access, it asks you, the user, whether to allow it. If that notification appears out of the blue, without any action on your part, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the best defense against ransomware. First, you should root out the offending malware, possibly with assistance from your antivirus company’s technical support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to determine what defenses the product offers against ransomware.
How to Detect Ransomware
During its lifespan, Cybereason’s free RansomFree utility had one purpose: to detect and avert ransomware attacks. One visible feature of this utility was its creation of “bait” files in locations typically targeted by ransomware. Any attempt to modify these files triggered a ransomware takedown. It also relied on other forms of behavior-based detection, but its creators were naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid? Alas, maintaining this free product for consumers proved impractical for the Enterprise-focused company.
Several antivirus products employ behavior-based detection to block any ransomware that evades your regular antivirus. They don’t use “bait” files; rather, they closely monitor how programs treat your documents. On detecting ransomware, they quarantine the threat.
Recommended by Our Editors
ZoneAlarm Anti-Ransomware also uses bait files, but they’re not as visible as RansomFree’s. It also employs additional layers of protection. In testing, it defeated all my real-world ransomware samples, fixing any affected files and removing ransom notes. By observation, Data443 also uses bait files to supplement its detection of ransomware behaviors.
Webroot AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections and journals every local action. Meanwhile, at Webroot Central, the unknown program undergoes a thorough analysis. If it proves malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn’t unlimited in size and advises keeping all important files backed up.
Of course, the primary purpose of Acronis True Image is backup, but its active protection module monitors and prevents ransomware behavior. It utilizes whitelisting to prevent falsely flagging valid tools, such as encryption software. It also actively protects the main Acronis process against modification and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
(Credit: PCMag)
How to Prevent Ransomware
If a brand-new ransomware program bypasses Trend Micro Antivirus+ Security, it won’t be able to cause significant damage. The Folder Shield feature protects files in Documents and Pictures, in local folders representing online storage for file-syncing services, and on USB drives. Avast has added a very similar feature to Avast Premium Security.
Panda Dome Advanced offers a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each user account on Windows. It also protects specific file types, including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. Panda also protects against all unauthorized access, including reading the data of protected files, so it blocks data-stealing Trojans as well.
Testing this sort of defense is easy enough. I wrote a very simple text editor that was guaranteed not to be whitelisted by the ransomware protection system. I attempted to access and modify protected files, and in almost every case, I verified that the defense worked.
How to Make Ransomware Pass You Over
Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include a check to ensure they don’t attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.
During its existence, Bitdefender Anti-Ransomware specifically prevented infestations by TeslaCrypt, BTC-Locker, Locky, and the first edition of Petya. It had no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly couldn’t help against a brand-new strain the way a behavior-based detection system can. These limitations and the ever-changing nature of malware caused Bitdefender to withdraw the tool, relying instead on the powerful ransomware protection of its full-scale antivirus.
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product allows you to turn off its normal real-time antivirus protection while leaving ransomware detection active. Of course, testing is more straightforward when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.
(Credit: PCMag)
Additionally, ransomware samples are challenging to deal with. For safety, I run them in a virtual machine without an internet or network connection. Some won’t run at all in a virtual machine. Others do nothing without an internet connection. And they’re just plain dangerous! When analyzing a new sample and determining whether to add it to the collection, I keep a link open to a log folder on the virtual machine host. Twice now, I’ve had a ransomware sample reach out and start encrypting those logs.
Recovering your files after an attack is beneficial, but completely preventing that attack is even more effective. The products listed here employ different approaches to safeguarding your files. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware is our top choice for ransomware-specific security protection. It detected all of our ransomware samples, including the disk-encrypting Petya, and repaired all files damaged by the ransomware. If your budget doesn’t stretch to paying for a ransomware protection add-on, consider switching to an antivirus or security suite with a ransomware-specific protection layer, such as Bitdefender Antivirus Plus or Sophos Home Premium.
Editors’ Note: Given that the US government has banned new sales of Kaspersky security products, we no longer recommend them.
