Ransomware on the Rise
Bank robber Willie Sutton reputedly explained that he robbed banks because "that's where the money is." That same logic applies to the malefactors who write malware—they're in it for the money. Stealing and selling credit card numbers, renting out botnets to spread spam, these are penny-ante operations. The real money is in ransomware, and so it's a growing threat. When your essential files (or business documents) are encrypted, locking you out of them, chances are you will at least consider paying a considerable price to get them back if you don't have them backed up. Ransomware is on the rise, but so are techniques to defeat ransomware attacks.
What Is Ransomware, and How Do You Get It?
The premise of ransomware is simple. The attacker finds a way to take something of yours, and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn't pose the same level of threat as encrypting ransomware.
If you're hit by a ransomware attack, you won't know it at first. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company's domain. If you have the slightest doubt as to the legitimacy of the email, don't click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your antivirus will catch it immediately. If not, you could be in trouble.
CryptoLocker and Other Encrypting Malware
Probably the best-known ransomware strain, CryptoLocker surfaced about three years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.
CryptoWall surfaced not long after CryptoLocker's demise, and reigned supreme for well over a year. Among the ransomware threats currently active are Locky, TeslaCrypt, and Cerber. I've used all three of these in testing antivirus systems, keeping them safely contained in a virtual machine with no connection to the outside world.
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there's a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that's a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.
Strategies for Protection
A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection. And it only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can't bring back the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at ransomware behaviors is becoming more common.
Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company's tech support. With that task complete, you simply restore your backed-up files. Note that some malware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.
Detecting Ransomware Behavior
Cybereason's free RansomFree utility is unusual in that its sole purpose is to detect and avert ransomware attacks. One very visible feature of this utility is its creation of "bait" files in locations typically targeted by ransomware. Any attempt to modify these files triggers a ransomware takedown. It also relies on other forms of behavior-based detection, but its creators are naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid?
Malwarebytes Anti-Ransomware Beta also uses behavior-based detection to take down any ransomware that gets past your regular antivirus. It doesn't use "bait" files; rather it keeps a close eye on how programs treat your actual documents. On detecting ransomware, it quarantines the threat.
Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn't unlimited in size, and advises keeping all important files backed up.
If Trend Micro Antivirus+ Security detects a suspicious process attempting file encryption, it suspends the process, backs up the file, and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. I didn't specifically test this feature when I reviewed Trend Micro last fall, but my contacts at the company assure me this is how it works.
The main purpose of Acronis True Image 2017 New Generation is backup, of course, but the new Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
The Data Hjiacking Protection feature in Qihoo 360 Total Security watches for ransomware behavior. However, rather than terminate suspect processes, it simply prevents them from accessing files in specific protected locations such as the Documents folder. In testing, I couldn't goad it into action. Ransomware-specific detection in G Data Antivirus, on the other hand, visibly did its job. When I turned off the regular real-time antivirus and released some ransomware samples, it caught them red-handed. Quick Heal Internet Security also claims to detect ransomware by its behavior, but since it offered no way to disable antivirus protection without also disabling ransomware protection, I couldn't test it.
Preventing Unauthorized Access
If a brand-new ransomware program gets past Bitdefender Antivirus Plus, it won't be able to do much damage. Bitdefender blocks attempts by any unauthorized program to modify, delete, or create files in a protected folder. And the list of protected folders includes Documents, Desktop, Pictures, Music, and Videos, as well as folders on file-syncing services such as OneDrive, Dropbox, Box, and Google Drive.
Trend Micro's Folder Shield feature protects the Documents folder and all its subfolders, by default. The user can choose any other single folder, if desired, but only one folder and its subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. In addition, the company offers a ransomware hotline that's available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.
Panda Internet Security, along with all of Panda's other suite products, offers a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file's data, so it balks data-stealing Trojans too.
IObit Malware Fighter 5 Pro protects specific file types regardless of their folder location. Like Panda, it prevents all unauthorized access. Its regular antivirus component didn't do well in testing, though. In particular, it identified quite a few malware samples as safe and as dangerous simultaneously.
Testing this sort of defense is easy enough. I wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection. I attempted to access and modify protected files. And in almost every case I verified that the defense worked. The exception was Qihoo 360, which only blocks access by programs it also deems suspicious.
As noted, the surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attack. I expect we'll see similar features in other backup tools.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files.
The Kure is an unusual product that restores your PC to a clean, malware-free state every time you reboot. Of course, you don't want to lose your documents and other personal files when this occurs, so it exempts areas like the Documents folder from this "Groundhog Day" effect. That also means that while rebooting would get rid of active ransomware, you'd still have the problem of encrypted files. To get around this, The Kure maintains a hidden, encrypted copy of files in those exempted folders. In testing, it successfully recovered from a ransomware attack.
In addition to behavior-based malware detection, Quick Heal also maintains a silent, encrypted backup of your document files. However, recovery of those files is not automatic. Once you get rid of the ransomware, you must contact tech support for help with recovery.
Testing Ransomware Protection
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active.
In addition, ransomware samples are tough to deal with. For safety, I run them in a virtual machine with no connection to the internet or network. Some won't run at all in a virtual machine. Others do nothing without an internet connction. And they're just plain dangerous! When I'm analyzing a new sample, determining whether to add it to my collection, I keep a link open to a log folder on the virtual machine host. Twice now I've had a ransomware sample reach out and start encrypting my logs.
KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but i don't treat a low score as a minus. Some behavior-based systems such as RansomFree don't detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.
What's Not Here
This article looks specifically at ransomware protection solutions that are available to consumers. There's no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.
I've also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Malwarebytes Anti-Ransomware for Business and Sophos Intercept X, for example, are beyond the scope of my reviews, worthy though these services may be.
An Ounce of Prevention
Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, defense will evolve as well.
%displayPrice% at %seller% Bitdefender Antivirus Plus 2017 combines top-scoring antivirus protection with so many bonus features it would almost qualify as a security suite. Read the full review
%displayPrice% at %seller% Webroot SecureAnywhere AntiVirus remains the smallest, fastest antivirus around, and it aced our hands-on malware-blocking test. Read the full review
%displayPrice% at %seller% The consequences of a ransomware attack are dire, so a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install it. Read the full review
%displayPrice% at %seller% Malwarebytes Anti-Ransomware Beta watches program behavior to thwart any ransomware that gets past your existing antivirus. This lightweight, free utility makes a great addition to your security arsenal. Read the full review
%displayPrice% at %seller% When your PC has The Kure installed, you can wipe out malware just by rebooting. Your own documents aren't affected, and it even has the ability to reverse the effects of encrypting ransomware. Read the full review
%displayPrice% at %seller% Trend Micro Antivirus+ Security earns high scores in our hands-on tests, though not in every independent lab test. Ransomware protection is a welcome addition in this latest version. Read the full review
%displayPrice% at %seller% Acronis True Image 2017 New Generation lets you save an entire copy of your hard drive to the cloud and offers unique security features, but it still lacks some capabilities we've come to expect in online backup services. Read the full review
%displayPrice% at %seller% G Data Antivirus 2017 gets decent marks from the independent testing labs, and it includes components designed to fight specific malware types, including ransomware. However, in our own tests its scores ranged from excellent to poor. Read the full review
%displayPrice% at %seller% Panda Internet Security includes the features you'd expect in a security suite, plus extras like ransomware protection. It didn't do well in our testing, however, and Panda itself offers more affordable competing products. Read the full review
%displayPrice% at %seller% Quick Heal Internet Security 17 includes such unusual features as silent ransomware protection and a separate, hardened desktop for online banking. However, its core antivirus and firewall components just don't cut it. Read the full review
%displayPrice% at %seller% IObit Malware Fighter 5 Pro boasts an attractive user interface and an effective new ransomware protection engine, but the antivirus labs don't test it, and it failed some of our hands-on tests. Read the full review