Why You Need Ransomware Protection
A ransomware attack can silently render your most important documents inaccessible, simply by encrypting them. In exchange for paying the ransom you get a key to decrypt those documents. But recovery is iffy. The email account to pay the ransom for the recent Petya ransomware attack got shut down. After that happened, victims couldn't pay up even if they wanted to. And there are reports of a Petya variant that doesn't even try to collect ransom, choosing to simply wreak havoc on government and business networks. Your antivirus really should take care of these attacks, but how much are you willing to gamble on that? Are you feeling lucky?It's even worse when your business gets attacked by ransomware. Depending on the nature of the business, every hour of lost productivity might cost thousands of dollars, or even more. Fortunately, while ransomware attacks are on the rise, so are techniques for fighting those attacks. Here we look at anti-ransomware tools you can use to protect yourself from ransomware.
What Is Ransomware, and How Do You Get It?
The premise of ransomware is simple. The attacker finds a way to take something of yours, and demands payment for its return. Encrypting ransomware, the most common type, takes away access to your important documents by replacing them with encrypted copies. Pay the ransom and you get the key to decrypt those documents (you hope). There is another type of ransomware that denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat, and just doesn't pose the same level of threat as encrypting ransomware.
If you're hit by a ransomware attack, you won't know it at first. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.
As for how you contract this infestation, quite often it happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company's domain. That seems to be what happened with the recent WannaCry ransomware attack. If you have the slightest doubt as to the legitimacy of the email, don't click the link, and do report it to your IT department.
Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. A drive-by download hosted by a malicious advertisement on an otherwise-safe site, for example. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your antivirus will catch it immediately. If not, you could be in trouble.
CryptoLocker and Other Encrypting Malware
Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. It surfaced about three years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.
Ransomware Removal
Even if ransomware gets past your antivirus, chances are good that within a short while an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.
Even so, there's a faint chance of recovery, depending on which ransomware strain encrypted your files. If your antivirus gives you a name, that's a great help. Many antivirus vendors, among them Kaspersky, Trend Micro, and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.
But really, the best defense against ransomware involves keeping it from taking your files hostage. There are a number of different approaches to accomplish this goal.
Anti-Ransomware Strategies
A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection. And it only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can't bring back the files.
Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at ransomware behaviors is becoming more common.
Ransomware typically goes after files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company's tech support. With that task complete, you simply restore your backed-up files. Note that some malware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.
Detecting Ransomware Behavior
Cybereason's free RansomFree utility is unusual in that its sole purpose is to detect and avert ransomware attacks. One very visible feature of this utility is its creation of "bait" files in locations typically targeted by ransomware. Any attempt to modify these files triggers a ransomware takedown. It also relies on other forms of behavior-based detection, but its creators are naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid?
Malwarebytes Anti-Ransomware Beta also uses behavior-based detection to take down any ransomware that gets past your regular antivirus. It doesn't use "bait" files; rather it keeps a close eye on how programs treat your actual documents. On detecting ransomware, it quarantines the threat.
Check Point ZoneAlarm Anti-Ransomware also used bait files, but they're not as visible as RansomFree's. And it clearly uses other layers of protection. It defeated all of my real-world ransomware samples in testing, fixing any affected files and even removing the spurious ransom notes that one sample displayed.
Webroot SecureAnywhere AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections, and it journals every local action. Meanwhile, at Webroot central, the unknown program goes through deep analysis. If it proves to be malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn't unlimited in size, and advises keeping all important files backed up.
If Trend Micro Antivirus+ Security detects a suspicious process attempting file encryption, it suspends the process, backs up the file, and keeps watching. When it detects multiple encryption attempts in rapid succession, it quarantines the file, notifies the user, and restores the backed-up files. I didn't specifically test this feature when I reviewed Trend Micro last fall, but my contacts at the company assure me this is how it works.
The main purpose of Acronis True Image 2017 New Generation is backup, of course, but the new Acronis Active Protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.
The Data Hjiacking Protection feature in Qihoo 360 Total Security watches for ransomware behavior. However, rather than terminate suspect processes, it simply prevents them from accessing files in specific protected locations such as the Documents folder. In testing, I couldn't goad it into action. Ransomware-specific detection in G Data Antivirus, on the other hand, visibly did its job. When I turned off the regular real-time antivirus and released some ransomware samples, it caught them red-handed. Quick Heal Internet Security also claims to detect ransomware by its behavior, but since it offered no way to disable antivirus protection without also disabling ransomware protection, I couldn't test it.
Preventing Unauthorized Access
If a brand-new ransomware program gets past Bitdefender Antivirus Plus, it won't be able to do much damage. Bitdefender blocks attempts by any unauthorized program to modify, delete, or create files in a protected folder. And the list of protected folders includes Documents, Desktop, Pictures, Music, and Videos, as well as folders on file-syncing services such as OneDrive, Dropbox, Box, and Google Drive. Avast has recently added a very similar feature to Avast Internet Security and Avast Premier.
Trend Micro's Folder Shield feature protects the Documents folder and all its subfolders, by default. The user can choose any other single folder, if desired, but only one folder and its subfolders. No unauthorized program can delete or modify files in the protected zone, though file creation is permitted. In addition, the company offers a ransomware hotline that's available to anyone, even noncustomers. On the hotline page you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.
Panda Internet Security, along with all of Panda's other suite products, offers a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file's data, so it balks data-stealing Trojans too.
IObit Malware Fighter 5 Pro protects specific file types regardless of their folder location. Like Panda, it prevents all unauthorized access. Its regular antivirus component didn't do well in testing, though. In particular, it identified quite a few malware samples as safe and as dangerous simultaneously.
Testing this sort of defense is easy enough. I wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection. I attempted to access and modify protected files. And in almost every case I verified that the defense worked. The exception was Qihoo 360, which only blocks access by programs it also deems suspicious.
File Recovery
The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attack. I expect we'll see similar features in other backup tools.
As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious and repairs any damage caused by processes that turn out to be ransomware.
The Kure is an unusual product that restores your PC to a clean, malware-free state every time you reboot. Of course, you don't want to lose your documents and other personal files when this occurs, so it exempts areas like the Documents folder from this "Groundhog Day" effect. That also means that while rebooting would get rid of active ransomware, you'd still have the problem of encrypted files. To get around this, The Kure maintains a hidden, encrypted copy of files in those exempted folders. In testing, it successfully recovered from a ransomware attack.
In addition to behavior-based malware detection, Quick Heal also maintains a silent, encrypted backup of your document files. However, recovery of those files is not automatic. Once you get rid of the ransomware, you must contact tech support for help with recovery.
Testing Anti-Ransomware Tools
The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is simpler when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.
In addition, ransomware samples are tough to deal with. For safety, I run them in a virtual machine with no connection to the internet or network. Some won't run at all in a virtual machine. Others do nothing without an internet connction. And they're just plain dangerous! When I'm analyzing a new sample, determining whether to add it to my collection, I keep a link open to a log folder on the virtual machine host. Twice now I've had a ransomware sample reach out and start encrypting my logs.
KnowBe4 specializes in training individuals and employees to avoid getting hit by phishing attacks. Phishing is one way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 types of ransomware attack, along with two innocuous (but similar) behaviors. A good RanSim score is definitely a plus, but i don't treat a low score as a minus. Some behavior-based systems such as RansomFree don't detect the simulation, because no actual ransomware limits its activities to subfolders four levels below the Documents folder.
What's Not Here
This article looks specifically at ransomware protection solutions that are available to consumers. There's no point in including the free, one-off decryption tools, since the tool you need totally depends on which ransomware encrypted your files. Better to prevent the attack in the first place.
CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. I can't recommend this tool in its current form.
I've also omitted ransomware solutions aimed at big business, which typically require central management or even a dedicated server. Malwarebytes Anti-Ransomware for Business and Sophos Intercept X, for example, are beyond the scope of my reviews, worthy though these services may be.
An Ounce of Prevention
Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed below take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware is top choice for ransomware-specific security protection. It turned in a near-perfect performance in testing; its only stumble involved an instance of reporting failure when it actually succeeded.
Featured Ransomware Protection Reviews:
Bitdefender Antivirus Plus Review
Editors' Choice
$39.99 MSRP
Bottom Line: The labs give Bitdefender Antivirus Plus top marks, and it aces some of our own hands-on tests. Beyond that, it adds a wealth of security features that almost qualify it as a security suite....
Check Point ZoneAlarm Anti-Ransomware Review
Editors' Choice
$2.99 MSRP
Bottom Line: Check Point ZoneAlarm Anti-Ransomware is the most effective ransomware-specific security tool we've seen. In testing, it showed complete success against all of our real-world samples.
Webroot SecureAnywhere AntiVirus Review
Editors' Choice
$39.99 MSRP
Bottom Line: Webroot SecureAnywhere AntiVirus remains the smallest, fastest antivirus around, and it aced our hands-on malware-blocking test.
Cybereason RansomFree Review
$0.00 MSRP
Bottom Line: The consequences of a ransomware attack are dire, so a second layer of defense like Cybereason RansomFree is a great idea. It's free; go ahead and install it.
Malwarebytes Anti-Ransomware Beta Review
$0.00 MSRP
Bottom Line: Malwarebytes Anti-Ransomware Beta watches program behavior to thwart any ransomware that gets past your existing antivirus. This lightweight, free utility makes a great addition to your secu...
The Kure Review
$19.99 MSRP
Bottom Line: When your PC has The Kure installed, you can wipe out malware just by rebooting. Your own documents aren't affected, and it even has the ability to reverse the effects of encrypting ransomwa...
Trend Micro Antivirus+ Security (2017) Review
$39.95 MSRP
Bottom Line: Trend Micro Antivirus+ Security earns high scores in our hands-on tests, though not in every independent lab test. Ransomware protection is a welcome addition in this latest version.
Acronis True Image 2017 New Generation Review
$99.99 MSRP
Bottom Line: Acronis True Image 2017 New Generation lets you save an entire copy of your hard drive to the cloud and offers unique security features, but it still lacks some capabilities we've come to e...
G Data Antivirus 2017 Review
$39.95 MSRP
Bottom Line: G Data Antivirus 2017 gets decent marks from the independent testing labs, and it includes components designed to fight specific malware types, including ransomware. However, in our own test...
Panda Internet Security (2017) Review
$49.99 MSRP
Bottom Line: Panda Internet Security includes the features you'd expect in a security suite, plus extras like ransomware protection. It didn't do well in our testing, however
Post a Comment