Detects and quarantines ransomware based strictly on behavior. Performed well in hands-on testing. Lightweight. Free.
Ransomware may encrypt a few files before detection.
- Bottom Line
Malwarebytes Anti-Ransomware Beta watches program behavior to thwart any ransomware that gets past your existing antivirus. This lightweight, free utility makes a great addition to your security arsenal.
Your full-featured antivirus utility probably does a very good job of keeping your PC malware-free. However, nobody's perfect, so every now and then a brand-new virus or Trojan may get past the real-time protection. Even then, an antivirus update usually clears up the situation before long. But if the threat that slipped through was encrypting ransomware, you're in trouble. Sure, the updated antivirus can remove the offending program, but the damage is already done. Your files remain encrypted and inaccessible. Malwarebytes Anti-Ransomware Beta aims to save you this pain by catching any ransomware your antivirus misses.
//Compare Similar Products
Don't shy away because of the "beta" in the name. This free product is perpetually in beta test, receiving all the very latest ransomware-fighting technology from Malwarebytes. Later, when any rough spots have been smoothed, the company moves that technology into the commercial Malwarebytes Anti-Ransomware for Business. This satisfies the IT team, who typically prefer slightly older tech to the cutting edge.
Naturally you get ransomware protection as part of the company's full-scale antivirus replacement, Malwarebytes 3.0 Premium. The standalone ransomware protection product works alongside your existing antivirus, working to catch anything the main antivirus misses.
Ransomware Protection Styles
There are a number of different ways security products implement ransomware protection. One way involves controlling access to protected locations, protected file types, or both. Known good programs such as Windows components and Office programs get the green light. When an unknown app attempts access, the security product warns the user of a possible ransomware attack. If it's just a new document editor, the user can whitelist it with a click; if it's ransomware, another click sends it to quarantine.
Some products just prevent changes to protected files. Others, including IObit Malware Fighter 5 Pro and Panda Internet Security, even prevent unauthorized reading of data from protected files. This type of protection also keeps data-stealing Trojans from siphoning off your private data.
It's conceivable that a tricky ransomware process might do its dirty deeds by subverting a whitelisted program, or find some other way to get around access limitations. Even if that happened, a product that detects ransomware based on its behavior could still foil the attack. That's how Malwarebytes Anti-Ransomware works. Cybereason RansomFree takes a similar approach.
You'll find ransomware-specific protection layers in various standard antivirus products as well. Bitdefender and Trend Micro include such a component. Malware detection by Webroot SecureAnywhere AntiVirus is entirely behavior-based, and this tool's journaling and rollback system for unknown programs can actually reverse a ransomware attack. The company does warn that the space available for journaling and rollback is finite.
Getting Started With Malwarebytes
Malwarebytes Anti-Ransomware is a tiny, lightweight program that installs in a jiffy. Its simple main window has just three tabs: Dashboard, Quarantine, and Exclusions. The dashboard simply confirms that protection is active, and it offers a link to turn protection off and on. You won't see anything in quarantine unless the product thwarts an actual ransomware attack.
Why would you want to exclude a file from detection? Well, this is a beta product, and it's conceivable that a legitimate encryption product might get caught in its net. If you encounter such a false positive, just rescue it from quarantine and put it on the exclusions list.
Testing Ransomware Protection
It's tough to test ransomware protection. The malicious programs themselves sometimes watch for signs of testing and lay low. On the flip side, if you're not careful with real-world ransomware samples, they can escape their virtual machine prison and do real damage.
Products like Panda Internet Security that work by controlling access to files are easy to test. I have tiny test programs that exercise this type of protection.
With behavior-based protection, though, sometimes my only recourse is to use real ransomware, in a carefully controlled environment. My ransomware testing is still evolving. At present, I have three real-world samples, threats that I gathered myself from dangerous websites. Malwarebytes did well in my hands-on test.
The first ransomware sample is moody. Frequently, it just runs as a background process without doing anything. With no behavior, there can be no behavior-based detection, so Malwarebytes gets a pass on this one.
Malwarebytes caught the second one red-handed, quarantined it, and asked for a reboot to finalize its cleanup. After reboot, I observed that during behavior analysis by Malwarebytes, the ransomware managed to encrypt several files. To me, that seems like a natural consequence of behavior-based detection. Without the ransomware behavior, there's no detection, right? However, my contact at Malware bytes says they're "getting really close to solving this."
The third sample also fell prey to Malwarebytes. After reboot, I thought for a moment that the ransomware was still running, because it displayed its ransom demand as a text file, an HTML document, and a PNG image. It turns out, though, that the ransomware simply dumped those files into the startup folder, so they'd open at startup. There was no trace of the malware application itself. Here, again, the malware encrypted several files before protection kicked in.
The only entirely reliable way to test behavior-based ransomware detection is by using actual ransomware. Any simulation that completely duplicated the activity of an encrypting ransomware threat would itself be malware. However, that's no reason to completely write off testing with simulated ransomware.
KnowBe4, a security training company, has released a free tool called RanSim, designed to test your ransomware protection. It runs modules that implement ten common encrypting ransomware techniques, as well as two similar but harmless techniques. In theory, the best product will block all the ransomware techniques and leave the harmless ones alone.
When I tested the active ransomware protection built into Acronis True Image 2017 New Generation, it blocked all but one of the simulated attacks. Of course, a full backup, armored against unauthorized change, is a great help in recovering from malware attack.
RansomFree didn't detect any of the simulated attacks. Its designers pointed out that the simulated attacks affect only files several folder levels below the Documents folder, nowhere else. No real-world ransomware behaves that way.
As for Malwarebytes, it actively defended against eight of the 10 simulated attacks, but missed two. Because of the problems in using simulated ransomware, I consider it a plus when a product detects RanSim's modules, but I treat a RanSim failure as uninformative, not negative.
Add to Your Arsenal
Malwarebytes Anti-Ransomware Beta did well in my simple hands-on testing. Sure, some ransomware encrypted a few files, but without protection, it would have done much, much worse. Ransomware protection is necessarily a matter of layers. What one component missed, another may catch. I've added Malwarebytes to the arsenal of utilities protecting my main production system, along with Norton Internet Security and Cybereason RansomFree.
Other Malwarebytes Corporation Antivirus Software
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips… More »
More Stories by Neil J.
- The Best Ransomware Protection of 2017
When ransomware turns your most important files into encrypted gibberish, and paying big bucks to ge… More »
- Cybereason RansomFree
The consequences of a ransomware attack are dire, so a second layer of defense like Cybereason Ranso… More »
- ForceField (for iPhone)
ForceField gives iPhone-wielding parents a degree of control over their children's activities on iOS… More »