What is ransomware?
Simply put, ransomware is a type of malware that encrypts files found on a compromised system and then asks victims to pay a ransom to regain access to their own data.
The “ransom” money could be anywhere from a few dollars to hundreds of thousands of dollars.
Of course, there is never any guarantee that victims will recover access to their files even after paying. But, it makes sense to have the best ransomware protection products in place anyways.
How an iTunes zero-day allowed attackers to install ransomware on the sly https://t.co/5iaAfbuGRE
— Dan Goodin (@dangoodin001) October 10, 2019
Here is the list of the eight best ransomware protection tools:
- CrowdStrike Falcon EDITOR’S CHOICE An endpoint protection platform that combines defense strategies to prevent infection with ransomware. The Falcon platform combined the traditional functions of anti-virus software and firewalls to block a wide range of malware, including ransomware. Start a 15-day free trial.
- ManageEngine Vulnerability Manager Plus (FREE TRIAL) An attack prevention system that combines a vulnerability scanner and a patch manager plus other system hardening services. Runs on Windows and Windows Server. Start a 30-day free trial.
- SpinOne (FREE TRIAL) This SaaS package provides data loss protection through ransomware protection, backup and recovery, risk assessment, compliance auditing, and sensitive data protection. Access a 15-day free trial.
- Acronis Cyber Protect Home Office (FREE TRIAL) This package of security services for endpoints is ideal for combating ransomware because it includes backup and recovery as well as anti-malware. Start a 30-day free trial.
- Malwarebytes Anti-ransomware Uses behavior analysis to uncover malicious intent; something no anti-virus can really accomplish.
- Trend Micro RansomBuster Use this ransomware protection tool to tackle the problem by simply storing data and sensitive files in a secure folder and blocking all unauthorized access to it.
- Webroot SecureAnywhere For users who want a precise security tool that is both effective in fighting ransomware and goes easy on resource consumption. This tool is a perfect choice for individuals and small businesses.
- Bitdefender Antivirus Plus By far one of the best anti-ransomware solutions out there. This is a full-defense suite for those who take their safety seriously – not just against ransomware.
Do you really need protection against ransomware?
If you think your antivirus solution provides enough protection against malware attacks, you’ve got another think coming.
You see, the problem with an antivirus solution is that it may miss a newly released ransomware as the earliest they will be aware of it is after the next update – when the manufacturer updates their blacklist or malware database.
Meanwhile, an anti-ransomware solution can stop a ransomware attack by tracking processes or programs by checking if they make symptomatic changes and show any suspicious behaviors or activities.
Then again, even if your antivirus were to detect a malware attack, it still wouldn’t be able to recover the files that had been encrypted by ransomware. Decryption is the forte of anti-ransomware tools.
And so, it makes perfect sense to have an anti-ransomware protection software running in addition to an antivirus solution. This is unless, of course, you choose to install an antivirus solution that includes a ransomware protection tool among its features. We will have a look at a couple of those.
How serious a threat is it?
As far as ransomware attacks go, 2017 will always be remembered as the year this particular type of malware dominated global cyber-attack headlines. For example:
- Ransomware creators have a good incentive to keep pursuing their trade: it is estimated that they made $1 billion in paid ransoms that year alone
- The WannaCry ransomware struck in May of that year and, by the time the dust had settled, it had wreaked havoc on the digital world: it brought hospitals down to the extent of crippling the National Health Service (NHS) in the UK, hit communications providers, as well as around 10,000 other organizations, an estimated 200,000 personal victims, and reached victims in over 150 countries
Source: Wikimedia Commons
Although the threats had died down by the end of the year, it wasn’t exactly the end of the onslaught. In 2018, the ransomware threat continued and some of the biggest companies on the planet, and even entire cities’ networks, were held ransom:
- In March, the City of Atlanta was hit with the SamSam ransomware but refused to pay the $51,000 ransom. Later, an initial estimate of the recovery bill would put it at around $3 million. That figure quickly shot up to $11 million and could have even have gone as high as $17 million.
- In August, TSMC, a major Taiwanese semiconductor manufacturer that supplies companies like Apple, was hit with a new version of the WannaCry ransomware; the attack brought the company’s manufacturing to a grinding halt
Things weren’t much better in 2019; in fact, the number of ransomware attacks doubled and, what’s worse, the malware themselves became even more powerful. Some examples:
- Local U.S. governments continued to be targeted, an example being the Administrative Office of the Georgia Courts which had its systems knocked offline.
- Large industries were also hit hard as was the case with Norwegian aluminum company Norsk Hydro; hackers asked for an initial ransom after getting a foothold in the company’s network; they later managed to disable over 20,000 of its computers which were spread across the globe. Final damage: over 50 million dollars.
Sadly, if these recent past years are anything to go by, the future forecast doesn’t look too encouraging. It is anticipated that the attacks will continue to become even more devastating, while the malware grows sneakier as hackers become more clever and target specific industries or victims.
Why should a small business worry about ransomware?
Simply put, there are three main reasons:
- A growing trend: SMBs are increasingly being targeted by hackers; so it’s only a matter of time before you get hit too – especially if you are growing quickly.
- Being the perfect target: SMBs present juicier targets than individuals, they are also less secure than bigger businesses – they sit in a sweet spot.
- No consequences: SMBs don’t have the power to track down or pursue hackers; even if they find out who was responsible for a ransomware attack they still won’t be able to do much about it – this encourages the attackers.
How can a ransomware attack affect your business?
As we have just seen, and apart from the initial loss of data and the crippling of productivity, the fallout from a ransomware attack can continue to affect businesses for a long time after the attack.
Let’s have a look at how:
- An attack can bring your business’ processes to a halt – with your hardware under attack, there is no way you will be able to run your processes or cater to your customers. This will result in a loss of customer trust and, eventually, a decline in profits.
- Loss of sensitive and critical data – a malware infection can result in your business’ data being lost which could also stop you from continuing to work. What’s worse is that your clients’ information could also be stolen which puts them at risk.
- The spread of misinformation – an undetected malware attack could take control of your data and applications and then use it to create fake data and report incorrect results. If you unwittingly continue to use them the end-results can only be worse and might derail your business’ forecast strategy.
- Denial-of-Services (DoS) attacks – malware can be used to bring your business to its knees by simply making it inaccessible to the outside world. On the other hand, scripts run from within your network can be used to isolate you from the data or clients you may need from the outside world. Either way, your business will be starved of input which could cause irreversible damage if, for example, your sales depend on real-time access.
These are only a few of many ways your business can be hurt by a malware attack. And so, the question now becomes: what are the best ransomware protection solutions to choose from?
The best ransomware protection tools
Our methodology for selecting a ransomware protection tool
We reviewed the market for ransomware protection systems and analyzed tools based on the following criteria:
- A protection strategy that includes backup, encryption detection, or intrusion protection
- Alerting for suspicious activity
- User and entity behavior analytics (UEBA) for anomaly detection
- A threat intelligence feed
- System hardening services
- A free trial or a money-back guarantee for a risk-free assessment
- A good deal from a system that provides solid protection at a reasonable price
With these selection criteria in mind, we the market for database diagram tools and identified systems that we are happy to recommend.
CrowdStrike Falcon is an Endpoint Protection Platform (EPP) that includes the ability to identify and block ransomware. The EPP includes a range of modules, such as Falcon Prevent, which is a next generation anti-virus service. This is the core module for blocking ransomware.
- A suite of prediction software packages
- Protects Windows, Windows Server, Linux, and macOS
- Mobile version for Android and iOS
- Constantly updated with new Indicators of Compromise
- Browser-based console
The Falcon EPP is based in the cloud. This is an innovative architecture that enables very powerful cybersecurity software to protect devices without placing a heavy processing load on them. The endpoint needs a small agent program installed on it to coordinate threat detection and response. The agent is available for Windows, Windows Server, Linux, and Mac OS. There is also a mobile version that runs on Android and iOS devices.
The Falcon protection methodology uses AI-based machine learning to spot threats. Suspicious files are uploaded to the CrowdStrike server for further analysis before they are allowed to touch the operating system. The AV service assembles a list of identifiers for newly discovered malware, called “indicators of attack” (IOCs). This details the entry points and vulnerabilities that new ransomware exploits, enabling the AV to harden an endpoint before it can be infected.
This strategy is great for preventing infection from attachments to emails or Trojan and ransomware programs that masquerade as useful utilities. The CrowdStrike team includes cybersecurity experts and researchers that identify new malware. The team also spots the sources of malware, enabling them to map related attacks. Thus, they can prepare the devices of CrowdStrike customers for a range of attacks that tend to roll out in waves.
- Continues to work when the device is disconnected from the network
- Can contribute to an EDR solution
- Uses AI in threat detection
- Windows, macOS, and Linux
- Mobile protection available
- Full protection requires a multi-element package, not just the endpoint system
The management console for CrowdStrike Falcon is cloud-based and accessed through a browser. Systems managers are able to coordinate the protection of a large number of devices in one place and that includes endpoints on different sites.
CrowdStrike offers a 15-day free trial of the Falcon endpoint protection platform.
CrowdStrike Falcon is our top pick for ransomware protection because it is an endpoint protection platform that combines defense strategies to block infections. The EPP includes a next generation anti-virus solution, a firewall, and intrusion prevention strategies to block a range of hacker attacks, including ransomware.
Start 15-day Free Trial: crowdstrike.com/endpoint-security-products/ransomware/
OS: Cloud based
ManageEngine Vulnerability Manager Plus offers services that prevent ransomware attacks by shutting down entry points that allow access to hackers. This is a system hardening tool that will protect endpoints, network appliances, and web applications.
- Vulnerability scanning
- Automated patch manager
- Configuration management
- Free version available
The key elements of this package are a vulnerability scanner and a patch manager. Patches for operating systems and software packages are often issued because the software house has been notified about security weaknesses in their products. Not applying patches whenever they become available leaves your system exposed to attack by a range of malicious activity, not just ransomware.
The vulnerability scanner is constantly updated by a live threat intelligence feed. After an initial sweep, the scanner keeps working, kicking off a system sweep every 90 minutes, and performing extra investigations whenever a threat intelligence update arrives.
The system discovers all devices connected to the network and then scans each in order to compile a software inventory. This list of operating systems and applications with their version numbers is the basis of a patch management routine.
The patch manager keeps a lookout for patches and updates to its registered list of resources. When one appears, it readies the installers for rollout. System administrators can set up the patch manager so that it will apply all patches at the next available install time window.
Vulnerability Manager Plus is implemented as on-premises software and uses a distributed approach. Each endpoint on the network gets an agent program installed on it – there are agents available for Windows, macOS, and Linux. A central server, that installs on Windows and Windows Server coordinates agent activities and channels threat intelligence actions to them. It also summarizes feedback from each agent for analysis in the system console.
- An on-premises software package
- Includes a patch manager
- Verifies and stores patch installers
- Options for multi-site protection
- No SaaS version
Vulnerability Manager Plus protects endpoints, network appliances, and web applications. It is available in three editions: Free, Professional, and Enterprise. The free version is limited to monitoring 25 computers. The Professional edition operates for one site and the Enterprise edition caters to WANs. Both paid systems are offered on a 30-day free trial.
SpinOne from Spin.ai is a package of SaaS protection systems that are delivered from the cloud. This service integrates into a specific business productivity system with flavors for Microsoft 365, Google Workspace (Google G Suite), and Salesforce. The platform provides two strategies to defeat ransomware – ransomware activity detection and data backup.
- Automated malware detection
- Human cybersecurity analysis
- Backup and recovery
Luck favors the prepared, and so SpinOne takes regular backups of your cloud storage space, which enables a rapid recovery in the event of any disaster, including a ransomware attack. Spin.ai technicians manage your data recovery and the company offers a 2-hour recovery deadline in its service level agreements (SLA). Backups can be stored on Azure, GCP, or AWS.
The protection system identifies compromised assets and then immediately revokes all API access to your cloud storage space. It then isolates the encrypted files to prevent the ransomware from spreading. The tool scans back through its records to see which applications recently accessed those damaged files to identify the source of the attack. It then raises an alert, restores the damaged files, and delivers a report of the event.
SpinOne has its own connection security systems so that the link between the Spin.ai system and your cloud platform does not provide a security weak point. The data transfers for backup and recovery are protected by encryption.
You get a range of options over data storage, which includes a local store on your site. The system offers a range of retention periods from 6 months to indefinite backups. However, each file is re-copied if it is updated on your primary cloud storage system.
- Includes backup and recovery
- Integrates into cloud services
- Recovery guarantee
- Doesn’t protect on-premises servers
You can get a 15-day free trial of SpinOne for G Suite, SpinOne for Microsoft 365, or SpinOne for Salesforce.
Acronis Cyber Protect Home Office is an on-device protection system for desktops and laptops. This service, previously known as True Image, has been revamped and renamed in order to cater to the “work from home” market. The system will protect your leisure activities on the Web as well as your remote work connections.
- Backup and recovery
- Cloud storage included
The anti-malware system in the package detects infection from a range of malicious processes, including ransomware. However, no anti-malware system is infallible and, just in case a new strain gets through, the Acronis service will have already backed up all of your data. This means you don’t need to bother paying the ransom to get your data back, you just restore it through the Acronis console. All files are pre-scanned for infection before uploading to backup.
You can choose to backup to removable storage, to a private cloud or public cloud systems, such as Azure or AWS, or to the Acronis Cloud servers. There are three plans for Acronis Cyber Protect Home Office and, apart from the base plan, these include cloud storage space – 1 TB included for free with the top plan.
- Free to use
- Includes cloud storage space
- Backs up data with local and remote repositories
- The full service is charged for
Acronis Cyber Protect Home Office installs on Windows and macOS. The service also includes some cloud-based elements, such as threat intelligence updates for anti-malware. The system is available for a 30-day free trial.
Although it started out in beta mode, this anti-ransomware tool has transformed into one of the best options on the market today. Being a tool created for a specific purpose, it doesn’t eat up processing power and, in fact, has a small digital footprint. Besides, Malwarebytes uses it as part of its bigger, more complete Malwarebytes Endpoint Protection & Response solution. This means, they are sure it is a great tool and have confidence in its performance.
- Unique ransomware rollback system
- Zero-day protection
- Light demand on the processor
Once installed, it runs in the background without the need for even an initial scan – it simply starts protecting the device and reacts in real-time. The beauty of Malwarebytes is its Ransomware Rollback [PDF] technology. Any changes that were made to files – like being encrypted by a malware – can be reversed. This is done using backups that this anti-malware protection solution keeps for exactly this purpose.
Malwarebytes keeps an eye on all that is going on around it and keep tracks of which program or process did what change. When it realizes that something awry has happened it can easily roll back time and reverse any changes that were made regardless if it were a modification, deletion, or even encryption.
Thus, for those who might think that this is a lightweight tool, we can only say, “Do not underestimate it”.
- Low CPU demand
- Rollback function
- Includes malware
- Part of a wider package of tools that you might not need
The thing that makes Malwarebytes one of the best anti-malware tools out there is that it was designed to protect against the latest online security threats. It, therefore, has the ability to target the most recent malware threats that even some of the other “big league” antimalware solutions haven’t been able to flag yet.
RandomBuster is free, and although it is a featured component of the Trend Micro Antivirus suite, it is also available as a stand–alone program.
This tool addresses the ransomware issue in a somewhat different way – by baiting ransomware malware, fake files are placed in pre-selected strategic locations around a system and are then observed for any malicious behaviors or attack attempts.
- A free, standalone tool
- Also integrated into Trend Micro Antivirus Suite
- Uses honeytraps
Then, there is Folder Shield – a feature that creates two folders where any documents placed inside them are safe from attacks. No program can edit or delete files that are placed in these folders unless specific authorization has been granted to do so. Of course, new files can be created and this ensures their protection from their inception.
This way, instead of checking every process out or keeping track of changes that are made all over a machine, RansomBuster deals with just two folders (and any subfolders under them) to stop programs, processes or services from accessing them unless they are allowed to. Users can simply create a folder and dump all their sensitive data into it.
Finally, one other great thing about this anti-ransomware solution is that the makers – Trend Micro – have a dedicated ransomware hotline page where visitors can find a variety of tools to fight screen-locker ransomware, submit infected files for investigation, and even have data decrypted after having fallen victim to a malware attack.
- Free to use
- Can be added to Antivirus Suite
- Includes file locker
- Doesn’t include cloud storage
Webroot SecureAnywhere is an antivirus that was created for defense against all types of malware, not just ransomware. And yet, the anti-ransomware feature is so effective we had to include it in this list.
- General antimalware
- Constantly updated threat intelligence
A unique feature of this tool is that it keeps track of all processes – legitimate or otherwise – and ignores or removes them depending on which set they belong to. In case of indecision, the tool keeps a close eye on the program or process until it can make a decision either way.
Being a cloud-based antivirus, Webroot SecureAnywhere is easy on resources to the point that it remains unnoticed as it goes about its task. Another advantage is that cloud processing makes it fast at scanning – even during full scans.
- Defends against all types of malware
- SaaS package
- Reverses changes wrought by malware
- Not specifically anti-ransomware
Webroot SecureAnywhere prevents unrecognized processes from connecting online or making irreversible changes and logs everything else they do. All the while, Webroot Central deep-analyzes the processes against a database in the cloud. Should any of them raise a flag, the tool uses its logs to reverse any changes that they may have made, including decrypting any files that were encrypted.
This is, arguably, one of the best anti-ransomware software solutions out there. Again, although Bitdefender Antivirus Plus is a full anti-virus suite, and as a full-fledged defense system, it can keep your network safe from various sorts of attacks, it is the protection against potential ransomware that is quite remarkable.
- Antimalware for endpoints and networks
- Access control for sensitive data
- Also blocks phishing and fraud
This is mainly thanks to Safe Files, a feature that prevents sensitive documents and data storage from being accessed by unauthorized users. Bitdefender also has its own antimalware scan engine and multi-layered anti-ransomware protection.
Apart from fighting ransomware, Bitdefender Antivirus Plus also serves as an anti-phishing and anti-fraud protection tool and has an anti-tracking extension to seek and block web trackers. Are you worried about someone spying on you in the privacy of your office or living room? This suite’s Webcam Protection prevents apps from taking over your camera while Microphone Monitor alerts you when an application tries to access your microphone.
All of this is backed up by features like a password manager, banking protection, VPN, safe online shopping and much more. Surprisingly, although it is a heavy-duty antimalware solution, Bitdefender remains unobtrusive and doesn’t tie-up the resources of the machine it is supposed to be protecting.
- Blocks all types of malware
- Protects sensitive data
- Identifies phishing, fraud, and trackers
- Operates per endpoint
Overall, we’d say this is an amazing all-rounded network defense suite.
Deciding on a ransomware protection tool
If you ask which one we would recommend the most, we would still be split between CrowdStrike Falcon Ransomware Protection, Bitdefender Antivirus Plus and Webroot SecureAnywhere. We recommend the former for businesses and enterprises while the latter would be ideal for individual or small business users.
Anti Ransomware FAQs
What are the types of ransomware?
The two types of ransomware are called locker ransomware and crypto-ransomware. Locker ransomware attacks hijack access rights systems, preventing a user of a seized device from gaining access. A crypto-ransomware attack is a classic strategy that encrypts files to make them inaccessible.
How long does it take to decrypt ransomware?
The length of time it takes to decrypt ransomware varies according to the volume of data that needs to be decrypted. In general, restoring files from a backup store is quicker than decrypting individual files.
Should I pay a ransom fee to get the decryption key?
About 58 percent of ransomware victims pay to get the decryption key. On the one hand, you might not have a choice and can’t afford to lose important files. However, a company that pays the ransom encourages hackers and makes another attack more likely. A survey in 2018 discovered that 42 percent of victims that paid the ransom didn’t get the decryption key.
How do I know if I'm at risk of ransomware?
All businesses and individuals that have computers connected to the internet are at risk of ransomware attacks. You reduce the likelihood of being attacked if you train your staff in scam-avoidance and improve access rights management.