Anti-Ransomware Software Overview
There are two types of Anti-Ransomware software programs: those that protect the system in real-time against incoming threats, and those that disinfect the system after a successful ransomware attack.
The following overview of anti-ransomware programs looks at programs that have been designed specifically for those purposes.
It doesn’t include general purpose security software that includes ransomware protection as well. In addition, we made the decision to separate programs designed to protect the system against ransomware attacks from decryptors that decrypt files after successful attacks.
As far as prevention is concerned, there is more that users can do, for instance making sure they run up to date security software, do back ups of important data and keep the backups detached from the system, or use common sense.
Here is a short introductory video on ransomware.
The following programs are designed to protect against ransomware, and/or disinfect computer systems that are already infected.
The programs are sorted alphabetically, and a table at the end provides you with information on how they stack up against each other.
Only a few provide protection against most, if not all, ransomware types, while most protect you only against certain common types, or let you disinfect an already infected computer system.
The listing is quite large, and will grow only over time as ransomware threats become even more mainstream than they are already.
If you want a recommendation, the best solution in our opinion right now is WinPatrol WAR thanks to its layered approach and solid defense system.
AbelSoft AntiRansomware is a commercial program that runs a background guard that scans the system for software that resembles ransomware. It uses algorithms to detect ransomware, and protects user folders as well as custom folders by monitoring them specifically for changes.
A 30-days limited trial version is provided on the developer website.
Bitdefender Anti-Ransomware Software
Bitdefender’s program runs silently in the background after it has been installed on a supported version of the Windows operating system.
It has been designed to protect the system against the CTB-Locker, Locky and TeslaCrypt crypto ransomware families.
According to Bitdefender, it will protect against known and possible future versions of these families.
CryptoPrevent is a long standing program designed to protect the operating system in real-time against ransomware and other threats.
It displays options on first run to select a protection level which you may increase or decrease as you see fit. The higher the level the better the protection, but the more likely it is that false positives occur.
The program adds group policy objects to the Windows Registry that prevent executable files from running in certain locations on the system. It furthermore uses hash definitions, program filtering and logic based on certain attributes of executable files to determine whether it should be launched on the system.
GridinSoft Anti-Ransomware is available as a free beta release. The product page offers little information on how the protection works unfortunately, but states that it prevents data from popular ransomware families and cyberlockers.
HitmanPro.Alert is on first glance an anti-exploit program which should help against certain ransomware attacks as well.
But instead of stopping there, it includes protection against CryptoGuard ransomware as well. The program requires a valid HitmanPro license.
Interestingly enough, its feature set makes it quite the unique tool even if you compare it against other anti-exploit software such as EMET or Malwarebytes Anti-Exploit.
HitmanPro.Kickstart is a complementary software for HitmanPro that you can boot from to run HitmanPro to remove ransomware infections from the Windows operating system installed on the PC.
It has been designed specifically to remove lock screen ransomware from the computer system.
Kaspersky Anti-Ransomware Tool for Business
Kaspersky’s solution against ransomware is called Kaspersky Anti-Ransomware Tool for Business. While designed for businesses in particular, the program is available as a free download currently on Kaspersky’s website.
The anti-ransomware program runs in the background after installation monitoring the file system for suspicious activity. It comes with a signature database to detect known threats, and uses a cloud-based service on top of that.
The program supports rollback operations, and ships with options to trust certain applications.
Malwarebytes Anti-Ransomware (Beta)
Malwarebytes’ program is currently offered as a beta that is free to install. It is unclear right now if the program will remain free after the beta or may be integrated in the company’s other products.
Apart from preventing infections from known ransomware such as CryptoLocker, CryptoWall, CTBLocker and Tesla, it implements something the developers call proactive protection against ransomware.
Malwarebytes Anti-Ransomware uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files. It has no shot at encrypting. And it does not rely on signatures or heuristics, so it’s light and completely compatible with antivirus.
The program needs to run on the computer system to block ransomware from attacking the computer successfully.
McAfee Ransomware Interceptor (Beta)
McAfee Ransomware Interceptor is a beta program designed to monitor the system, detect ransomware processes, and terminate and block them before they start to do damage to the system.
The program offers little information in regards to the ransomware threats that it protects against, or how it determines whether a process is ransomware.
Controls are limited to starting and stopping the monitoring, and to whitelist files to avoid having processes flagged as ransomware that are not.
The only other option provided at this point in time is to view the program’s detection log.
RansomFree creates honeypots on the local file system, and monitors those for suspicious activity.
Folders and files that it creates are randomized, but placed always at the top of the directory structure based on the characters used for the names.
The main idea is that ransomware cannot distinguish between lucrative and honeypot files. This means that ransomware will usually go through the file listing from top to bottom, and if it does, RansomFree will block it from encrypting legitimate files.
The program works on Windows 7 and newer, and supports local and network drives.
SBGuard Anti-Ransomware hardens the operating system against ransomware threats. It is not a a program that monitors the system for threats, but will modify certain settings on the system to make it harder for ransomware to attack the data on it.
According to the description, it injects around 700 Registry entries to force Windows Group Policy to use inbuilt software execution restriction capabilities in certain locations, and prevent certain file types from executing.
Trend Micro Anti-Ransomware Tool
Trend Micro’s program for Windows has been designed specifically for lock screen ransomware. It refers to ransomware that limits user access to the computer.
The company has released two versions of the program for home users. The first can be used if the ransomware blocks access to the operating system only, but not to Safe Mode with Networking.
You can run the tool in Safe Mode with Networking then to remove the threat from the system and restore its full functionality.
The second version of the program is provided as a bootable USB version which you can run if both Safe Mode and regular mode are blocked by the ransomware.
WinPatrolWar (formerly known as WinAntiRansom)
WinPatrol War is a commercial anti-ransomware software program that block ransomware threats on Windows systems. While commercial, it is available for a one-time payment starting at $69.95 for a single-device lifetime license, or $19.95 for a single device one-year subscription.
The program uses a layered approach, and mixes it up with all kinds of cool features. For instance, it protects important files using its SafeZone feature to prevent ransomware slipping by from manipulating files.
Other layers include network lockdown, which protects mapped drives, and Registry protection, which protects important Registry keys from being manipulated by ransomware.
While designed specifically for ransomware, WinPatrol War will block other malware as well thanks to its layered approach.
Anti-Ransomware Software Comparison
|Program Name||Free||Beta||Ransomware||Real-time Protection||Disinfection||Supported OS||Comments|
|AbelSoft AntiRansomware||no||no||unknown||yes||no||Windows 7 and up||Trial available, full version price is €14.90|
|Bitdefender Anti-Ransomware||yes||no||CTBLocker, Locky, TeslaCrypt||yes||no||all supported versions of Windows|
|CryptoPrevent||yes||no||unknown, developer cites “large number of cryptoware”||yes||no||Windows XP to Windows 10||Paid versions available, protects against other malware, folder watch protection|
|Gridinsoft Anti-Ransomware||yes||yes||unknown||yes||no||all supported versions of Windows|
|HitmanPro.Alert||no||no||Cryptoware protection||yes||no||Windows XP to Windows 10||requires HitmanPro|
|HitmanPro.Kickstart||no||no||Lock Screen only||no||yes||Windows XP to Windows 10||requires HitmanPro|
|Kaspersky Anti-Ransomware||yes||no||unknown||yes||rollback||all supported versions of Windows|
|Malwarebytes Anti-Ransomware||yes||yes||CryptoLocker, CryptoWall, CTBLocker, Tesla||yes||no||all supported versions of Windows||Proactive Protection against new ransomware|
|McAfee Ransomware Interceptor||yes||yes||Most unknown, Locky, TeslaCrypt, WannaCry||yes||no||Windows 7 and up|
|RansomFree||yes||no||against more than 40 tested variants||yes||no||all supported versions of Windows||Honeypot system|
|SBGuard||yes||no||hardens the system||no||no||all supported versions of Windows|
|Trend Micro Anti-Ransomware||yes||no||Lock Screen only||no||yes||all supported versions of Windows|
|WinPatrol War||no||no||most, if not all, ransomware||yes||no||all supported versions of Windows||Layered protection, File, network and Registry protection|
Ransomware Decryption Tools
While it is best to prevent ransomware from landing on a system, the following tools may help you remove ransomware from an infected machine.
The list is updated regularly, if you know of a new program, let us know. Instructions on identifying ransomware are provided when you click on the links.
- 777 (Emsisoft, TrendMicro)
- Al-Namrood (Emsisoft)
- Alcatraz Locker (Avast)
- Amnesia (Emsisoft)
- Apocalypse (Avast, AVG, Emsisoft)
- AutoLocky (Emsisoft, TrendMicro)
- BadBlock (Avast, AVG, Emsisoft, TrendMicro)
- Bart (Avast, AVG)
- Cerber (TrendMicro)
- Chimera (TrendMicro)
- CoinVault (Kaspersky)
- Cry128 (Emsisoft)
- Cry9 (Emsisoft)
- CrypBoss (Emsisoft)
- Crypt888 (Avast, AVG)
- CryptInfinite (Emsisoft)
- CryptoDefense (Emsisoft)
- CryptOn (Emsisoft)
- CryptXXX (TrendMicro)
- CryptoMix (Avast)
- Crysis (Avast, TrendMicro)
- Damage (Emsisoft)
- DemoTool (TrendMicro)
- DMALocker (Emsisoft)
- DXXD (TrendMicro)
- Fabiansomware (Emsisoft)
- FenixLocker (Emsisoft)
- FindZip (Avast)
- Globe (Avast, Emsisoft, TrendMicro)
- GlobeImposter (Emsisoft)
- Gomasom (Emsisoft)
- Harasom (Emsisoft)
- HiddenTear (Avast)
- HydraCrypt (Emsisoft)
- KeyBTC (Emsisoft)
- Jigsaw (Avast, TrendMicro)
- Lechiffre (Emsisoft, TrendMicro)
- Legion (Avast, AVG)
- Malboro (Emsisoft)
- Mircop (TrendMicro)
- MRCR (Emsisoft)
- Nemucod (Emsisoft, TrendMicro)
- NMoreira (Emsisoft)
- NoobCrypt (Avast)
- OpenTo You (Emsisoft)
- OzozaLocker (Emsisoft)
- PClock (Emsisoft)
- Philadelphia (Emsisoft)
- Radamant (Emsisoft)
- Rakhni (Kaspersky)
- Rannoh (Kaspersky)
- Shade (Kaspersky, McAfee)
- SNSLocker (TrendMicro)
- Stampado (Avast, Emsisoft, TrendMicro)
- SFZLocker (Avast, AVG)
- Teamxrat/Xpan (TrendMicro)
- TeleCrypt (TrendMicro)
- TeslaCrypt (Avast, AVG, McAfee, TrendMicro)
- Wildfire (Kaspersky, McAfee)
- Xorbat (TrendMicro)
- Xorist (Emsisoft, Kaspersky, TrendMicro)
- WannaCry (TrendMicro, Wanakiwi)