The Best Ransomware Protection for 2024

PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Malware exists to make money, and ransomware definitely makes money. Researchers have found examples of ransomware dating back to 1989, but the threat took off with CryptoLocker, which kept the perps anonymous by requiring payment in cryptocurrency. Anti-ransomware tools sprang up to fight this scourge, and we've been putting them to the test for years. These days, we challenge ransomware protection by releasing real-world ransomware samples in an isolated environment. In those tests, ZoneAlarm Anti-Ransomware earned our Editors’ Choice by identifying every type of ransomware we threw at it and repairing any damaged files. Are your files vulnerable? Check right now to make sure your antivirus includes protection against ransomware the way that Bitdefender Antivirus Plus, a rare 5-star Editors' Choice winner, does. Then, consider adding software aimed squarely at ransomware defense. Read on for our reviews of the top tools to do just that.

What Isn't Here?

This article looks specifically at ransomware protection solutions available to consumers. There's no point in including free, one-off decryption tools since the tool you need depends on which ransomware has encrypted your files. It's better to prevent the attack in the first place.

CryptoPrevent Premium, created when CryptoLocker was new, promised several levels of behavior-based ransomware protection. However, at the top security level, it inundated the desktop with bait files, and even at this level, several real-world samples slipped past its detection. We can't recommend this tool in its current form.

We've also omitted ransomware solutions for big business, which typically require central management or a dedicated server. Bitdefender GravityZone Elite and Sophos Intercept X, for example, are beyond the scope of our reviews, worthy though these services may be.

It's also worth noting that several years ago, you could choose from a dozen or so standalone ransomware protection tools from consumer security companies, and many of those tools were free. Most of those have since vanished for one reason or another. For example, Acronis Ransomware Protection used to be a free standalone tool, but now it only appears as a component in the company’s Acronis True Image software. Likewise, Malwarebytes Anti-Ransomware now exists only as part of the full Malwarebytes Premium. As for Heilig Defense RansomOff, its web page used to say, “RansomOff will be back at some point.” Now, there's no mention of the product.

Trend Micro telegraphed the end of life for its free, standalone RansomBuster product more than a year in advance. RansomBuster no longer exists as a separate product. However, its ransomware-fighting skills live on, embedded in Trend Micro's full-blown antivirus utility.

A few ransomware protection tools come from enterprise security companies that decided to do the world a service by offering just their ransomware component as a freebie for consumers. And quite a few of those have also fallen by the wayside, as companies find that the free product eats up support resources. For example, CyberSight RansomStopper is no longer with us, and Cybereason RansomFree has likewise been discontinued.

Bitdefender Anti-Ransomware is gone for a more practical reason. While it existed, it took an unusual approach. A ransomware attack that encrypts the same files twice would risk losing the ability to decrypt them, so many such programs leave some kind of marker to avoid double-dipping. Bitdefender would emulate the markers for many well-known ransomware types, in effect telling them, "Move on! You've already been here!" This approach proved too limited to be practical. CryptoDrop, too, seems to have vanished, leaving the CryptoDrop domain name up for grabs.

How Does a Ransomware Attack Work?

The idea behind ransomware attacks is simple. The attacker finds a way to take something of yours and demands payment for its return. Encrypting ransomware—the most common type—takes away access to your important documents by replacing them with encrypted copies. Pay the ransom, and you get the key to decrypt those documents (you hope). Another type of ransomware denies all use of your computer or mobile device. However, this screen locker ransomware is easier to defeat and doesn't pose the same threat level as encrypting ransomware. Perhaps the most pernicious example is malware that encrypts your entire hard drive, rendering the computer unusable. Fortunately, this last type is uncommon.

If a ransomware attack hits you, you won't know it at first. It doesn't show the usual signs that you have malware. Encrypting ransomware works in the background, aiming to complete its nasty mission before you notice its presence. Once finished with the job, it gets in your face, displaying instructions for how to pay the ransom and get your files back. Naturally, the perpetrators require untraceable payment; Bitcoin is a popular choice. The ransomware may also instruct victims to purchase a gift card or prepaid debit card and supply the card number.

As for how you contract this infestation, it often happens through an infected PDF or Office document sent to you in an email that looks legitimate. It may even seem to come from an address within your company's domain. That seems to have happened with the WannaCry ransomware attack some years ago. If you have the slightest doubt as to the legitimacy of the email, don't click the link. Report it to your IT department.

Of course, ransomware is just another kind of malware, and any malware-delivery method could bring it to you. For example, a drive-by download hosted by a malicious advertisement on an otherwise safe site. You could even contract this scourge by inserting a gimmicked USB drive into your PC, though this is less common. If you're lucky, your malware protection utility will catch it immediately. If not, you could be in trouble.

Until the massive WannaCry attack, CryptoLocker was probably the best-known ransomware strain. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker ages ago. Still, other groups kept the name alive, applying it to their own malicious creations.

Can You Recover Ransomware Files?

Even if ransomware gets past your antivirus, chances are good that within a short while, an antivirus update will clear the attacker from your system. The problem is, of course, that removing the ransomware itself doesn't get your files back. The only reliable guarantee of recovery is maintaining a hardened cloud backup of your important files.

Even so, depending on which ransomware strain encrypted your files, there's a faint chance of recovery. If your antivirus (or the ransom note) gives you a name, that's a great help. Many antivirus vendors, including Trend Micro and Avast, maintain a collection of one-off decryption utilities. In some cases, the utility needs the unencrypted original of a single encrypted file to put things right. In other cases, such as TeslaCrypt, a master decryption key is available.

The surest way to survive a ransomware attack is to maintain a secure, up-to-date backup of all your essential files. Beyond just backing up your files, Acronis True Image actively works to detect and prevent ransomware attacks. We expect to see similar features in other backup tools.

CryptoDrop Anti-Ransomware maintained copies of your sensitive files in a secure folder that's not visible to any other processes. Alas, CryptoDrop has vanished.

As noted, when Trend Micro detects a suspicious process encrypting a file, it backs up the file. If it sees a flurry of suspicious encryption activity, it quarantines the process and restores the backed-up files. ZoneAlarm also tracks suspicious activity and repairs any damage caused by processes that turn out to be ransomware.

NeuShield Data Sentinel takes an unusual approach. Given that ransomware must announce its presence to request the ransom, it makes no attempt to detect ransomware activity. Rather, it virtualizes file system changes to protected folders and lets you reverse all changes after an attack. To get rid of the ransomware itself, it rolls back the system to the previous day's state. In testing, it proved effective, though you could lose one day's changes to your files.

Data443 Ransomware Remediation Manager also uses virtualization to keep ransomware from making permanent changes. Just reboot, and the ransomware is gone. Of course, you don't want to lose your own work, so Data443 maintains protected copies of documents, pictures, and the like. In testing, it detected and eliminated all active ransomware samples but didn't always recover files perfectly.

But really, the best defense against ransomware involves keeping it from taking your files hostage. There are several different approaches to accomplishing this goal.

What Are the Best Strategies for Fighting Ransomware?

A well-designed antivirus utility should eliminate ransomware on sight, but ransomware designers are tricky. They work hard to get around old-school signature-based malware detection and more flexible modern techniques. It only takes one slipup by your antivirus to let a new, unknown ransomware attack render your files unusable. Even if the antivirus gets an update that removes the ransomware, it can't bring back the files.

Modern antivirus utilities supplement signature-based detection with some form of behavior monitoring. Some rely exclusively on watching for malicious behavior rather than looking for known threats. And behavior-based detection specifically aimed at encryption-related ransomware behaviors is becoming more common.

Ransomware typically targets files stored in common locations like the desktop and the Documents folder. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. Typically, they pre-authorize known good programs such as word processors and spreadsheets. On any access attempt by an unknown program, they ask you, the user, whether to allow access. If that notification comes out of the blue, not from anything you did yourself, block it!

Of course, using an online backup utility to keep an up-to-date backup of your essential files is the best defense against ransomware. First, you root out the offending malware, perhaps with help from your antivirus company's tech support. With that task complete, you simply restore your backed-up files. Note that some ransomware attempts to encrypt your backups as well. Backup systems in which your backed-up files appear in a virtual disk drive may be especially vulnerable. Check with your backup provider to find out what defenses the product has against ransomware.

How to Detect Ransomware

During its lifespan, Cybereason's free RansomFree utility had one purpose: to detect and avert ransomware attacks. One visible feature of this utility was its creation of "bait" files in locations typically targeted by ransomware. Any attempt to modify these files triggered a ransomware takedown. It also relied on other forms of behavior-based detection, but its creators were naturally reluctant to offer a lot of detail. Why tell the bad guys what behaviors to avoid? Alas, maintaining this free product for consumers proved impractical for the Enterprise-focused company.

Quite a few antivirus products use behavior-based detection to take down any ransomware that gets past your regular antivirus. They don't use "bait" files; rather, they closely monitor how programs treat your documents. On detecting ransomware, they quarantine the threat.

ZoneAlarm Anti-Ransomware also uses bait files, but they're not as visible as RansomFree's. And it clearly uses other layers of protection. In testing, it defeated all our real-world ransomware samples, fixing any affected files and removing ransom notes. By observation, Data443 also uses bait files to supplement its detection of ransomware behaviors.

Webroot AntiVirus relies on behavior patterns to detect all types of malware, not just ransomware. It leaves known good processes alone and eliminates known malware. When a program belongs to neither group, Webroot closely monitors its behavior. It blocks unknowns from making internet connections and journals every local action. Meanwhile, at Webroot Central, the unknown program goes through deep analysis. If it proves malicious, Webroot uses the journaled data to undo every action by the program, including encrypting files. The company does warn that the journal database isn't unlimited in size and advises keeping all important files backed up. In our latest round of testing, Webroot successfully rolled back the actions of several real-world ransomware samples but let a couple of others slip past.

The main purpose of Acronis True Image is backup, of course, but this product's active protection module watches for and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It also actively protects the main Acronis process against modification, and it ensures that no other process can access backed-up files. If ransomware does manage to encrypt some files before being eliminated, Acronis can restore them from the latest backup.

How to Prevent Ransomware

If a brand-new ransomware program gets past Trend Micro Antivirus+ Security, it won't be able to do much damage. The Folder Shield feature protects files in Documents and Pictures, in local folders representing online storage for file-syncing services, and on USB drives. Avast has added a very similar feature to Avast Premium Security.

Trend Micro also offers a ransomware hotline that's available to anyone, even noncustomers. On the hotline page, you can find tools to defeat some screen locker ransomware and decrypt some files encrypted by ransomware.

Panda Dome Advanced offers a feature called Data Shield. By default, Data Shield protects the Documents folder (and its subfolders) for each Windows user account. It protects specific file types, including Microsoft Office documents, images, audio files, and video. If necessary, you can add more folders and file types. And Panda protects against all unauthorized access, even reading a protected file's data, so it balks data-stealing Trojans, too.

Testing this sort of defense is easy enough. We wrote a very simple text editor, guaranteed not to be whitelisted by the ransomware protection system. We attempted to access and modify protected files. And in almost every case, we verified that the defense worked.

How to Make Ransomware Pass You Over

Ransomware perpetrators lose credibility if they fail to decrypt files for those who pay the ransom. Encrypting the same set of documents multiple times could make it difficult or even impossible to perform that decryption. Hence, most ransomware programs include a check to ensure they don't attack an already-infected system. For example, the Petya ransomware initially just checked for the presence of a certain file. By creating a fake version of that file, you could effectively vaccinate your computer against Petya.

During its existence, Bitdefender Anti-Ransomware very specifically prevented infestation by TeslaCrypt, BTC-Locker, Locky, and that first edition of Petya. It had no effect on Sage, Cerber, later versions of Petya, or any other ransomware family. And it certainly couldn't help against a brand-new strain the way a behavior-based detection system can. These limitations and the ever-changing nature of malware caused Bitdefender to withdraw the tool, relying instead on the powerful ransomware protection of its full-scale antivirus.

How We Test Anti-Ransomware Tools

The most obvious way to test ransomware protection is to release actual ransomware in a controlled setting and observe how well the product defends against it. However, this is only possible if the product lets you turn off its normal real-time antivirus while leaving ransomware detection active. Of course, testing is more straightforward when the product in question is solely devoted to ransomware protection, without a general-purpose antivirus component.

In addition, ransomware samples are tough to deal with. For safety, we run them in a virtual machine without an internet or network connection. Some won't run at all in a virtual machine. Others do nothing without an internet connection. And they're just plain dangerous! When analyzing a new sample and determining whether to add it to the collection, we keep a link open to a log folder on the virtual machine host. Twice now, we've had a ransomware sample reach out and start encrypting those logs.

What Is the Best Ransomware Removal Tool?

Getting your files back after an attack is good, but completely preventing that attack is even better. The products listed here take different approaches to keeping your files safe. Ransomware protection is an evolving field; chances are good that as ransomware evolves, anti-ransomware utilities will evolve as well. For now, ZoneAlarm Anti-Ransomware is our top choice for ransomware-specific security protection. It detected all of our ransomware samples, including the disk-encrypting Petya, and repaired all files damaged by the ransomware. If your budget doesn't stretch to paying for a ransomware protection add-on, consider switching to an antivirus or security suite with a ransomware-specific protection layer, such as Bitdefender Antivirus Plus or Sophos Home Premium.

Editors’ Note: Given that the US government has banned new sales of Kaspersky security products, we no longer recommend them.