If your antivirus fails to catch a data-stealing Trojan, you can get a new credit card.
If an actual virus gets past its defenses, an aggressive cleanup tool should take care of the problem.
But if your antivirus misses a ransomware attack, you might lose all your documents, or even lose access to your computer.
That's where Cybereason's RansomFree comes in.
This free, dedicated ransomware protection utility works alongside your existing antivirus software.
It focuses 100 percent on detecting and preventing ransomware infestation by watching for behaviors common to these attacks.
In testing, with nasty, real-world malware samples, it gets the job done.
Members of the Cybereason team got their training in the elite Unit 8200 of the Israeli Intelligence Corps, a team dedicated to cybersecurity.
They cut their teeth on military-level cyberattacks, and they now supply high-end defense to major companies including SoftBank, Vizio, and Lockheed Martin.
As the ransomware epidemic began to put more consumers at risk, the company's CEO decided to extract the ransomware component from the full Cybereason security suite and give that ransomware protection to consumers for free.
Small businesses can also use it; bigger businesses should consider the full-scale Cybereason service.
Immediately after installation, RansomFree starts protecting your system against ransomware.
It runs in the background, watching for behaviors specific to ransomware.
As part of this process, it creates "bait" files in prime locations like the Desktop and the Documents folder.
There are no antivirus signatures; RansomFree relies on behavior-based detection.
Attack of the Ransomware
RansomFree was among the first ransomware-specific security tools that I reviewed last year.
At the time I only had a couple of real-world samples, plus hand-modified variants of those.
I now have a half-dozen samples covering various ransomware families.
RansomFree detected and blocked them all.
When it spots a process that acts like ransomware, RansomFree suspends that process and displays a big warning.
You click Yes to terminate the process and clean up any problems.
You could also click No, but I don't recommend that.
There's a link to view all files created, modified, or deleted by the offending process.
Reviewing this info, I could see, for example, that one attacker created an executable file with a random name right in the Documents folder, and turned over control to that program.
Another deleted its on-disk presence after loading into memory.
In some cases, RansomFree popped up two or even three times; I always clicked Yes.
On completion, it warned that the ransomware might have left behind a ransom note or other detritus that you must clean up manually.
Indeed, I found ransom notes in a couple cases.
I've run into a couple of products that failed to prevent a ransomware attack launched at Windows startup.
IObit Advanced SystemCare Ultimate is an example, as is the free CyberSight RansomStopper.
When I configured a ransomware sample to launch at startup, RansomFree had no trouble detecting and terminating it.
I have on hand a small, simple ransomware simulator, a program I wrote myself.
All it does is find the text files in the Documents folder and applies XOR encryption to them.
This technique simply flips all the one bits to zero and all the zero bits to one; applying it a second time decrypts the file.
This proved to be too simple-minded for RansomFree to notice, and indeed, it's not truly destructive.
Quite a few other competing utilities ignored my FakeCryptor, among them Acronis and CryptoDrop Anti-Ransomware.
Disk Encryption Ransomware
The most common type of ransomware encrypts your essential files, but leaves the computer working.
That makes perfect sense, because the victim needs internet and computer access to pay the ransom.
However, there's another, less common type that performs whole disk encryption, effectively bricking the device until you pay up.
The notorious Petya ransomware is one such, and I've managed to snare a Petya sample.
Behavior-based ransomware protection utilities don't necessarily protect against this type of attack.
Of the four other products I've tested since obtaining the Petya sample, Acronis and RansomStopper prevented a Petya attack, but Malwarebytes Anti-Ransomware Beta and CryptoDrop didn't.
A Cybereason blog post led me to think that RansomFree might stop Petya.
However, when I launched my sample, it proceeded to crash the system and run a pretend low-level disk repair on reboot.
In reality, it was encrypting the disk, not repairing it.
It is worth noting that disk-encrypting ransomware is much less common than the file-encrypting type, and that your antivirus would most likely catch it before it could do any harm.
Simulated Ransomware Conundrum
KnowBe4 is a company known more for its antiphishing trainings than for products, but it does offer the free RanSim Ransomware Simulator.
Without touching any of your own precious files, RanSim simulates the ten most common ransomware techniques, as well as two innocuous related techniques that ransomware protection shouldn't block.
I installed RanSim on the test system and ran its test sequences, with disappointing results.
RansomFree correctly refrained from interfering with the two false-positive scenarios, but it also did nothing to block the 10 ransomware scenarios.
After some digging, head-scratching, and confabulating with both Cybereason and KnowBe4, I came to understand the problem.
RanSim puts its test files in folders within folders, four levels below the Documents folder.
Encrypting such files without touching the actual contents of the Documents folder just isn't a behavior matching any real-world ransomware.
So RansomFree ignores it.
Acronis blocked all 10 scenarios, and Malwarebytes got eight.
Others wiped out the entire test platform, meaning it couldn't report any results.
Other Avenues
Ransomware is a serious problem, so it's not surprising that other companies have devised their own methods to combat it.
All malware detection in Webroot SecureAnywhere AntiVirus($18.99 for 1-Device on 1-Year Plan at Webroot) is based on behavior, not just ransomware detection.
The antivirus immediately wipes out any process that matches an existing malware behavior profiles.
If it isn't 100 percent clear that a suspect process is malicious, Webroot journals its local actions and virtualizes any nonreversible actions such as sending information out across the internet.
When its cloud-based analysis later identifies that suspect process as malware, the local client uses the journal data to reverse all actions by that process, including reversing the encryption actions performed by ransomware.
You must purchase the full Panda Internet Security($24.99 at Panda Security) suite to get ransomware protection from Panda; the standalone antivirus doesn't include the Data Shield component.
Data Shield aims to protect your precious documents against all unauthorized access, so ransomware can't encrypt your files, and Trojans can't steal your data.
If Panda detects an access attempt by any unauthorized program, it asks you whether to allow it.
Naturally you'll grant permission to that new word processor you just installed, but if the request comes out of the blue, deny it!
Trend Micro Antivirus+ Security and Avast Internet Security are among the other products that foil ransomware by preventing unauthorized file modification.
However, they don't prevent read-only access the way Panda does.
In the realm of tools specifically designed to fight malware, almost all use behavior-based detection.
Bitdefender Anti-Ransomware is an exception; it works by subverting the ransomware's own techniques for avoiding double encryption, "vaccinating" the system so the ransomware thinks it has already done its job.
Check Point ZoneAlarm Anti-Ransomware supplements behavior-based detection with a system for recovering any files that might have been encrypted before detection kicked in.
In testing, it did a perfect job, even eliminating the scattered ransom notes.
With Acronis Ransomware Protection, you get 5GB of cloud storage for your sensitive files.
If ransomware encrypts a file or two before detection, Acronis simply restores from its protected backup.
If 5GB proves insufficient, you can always upgrade to the company's Acronis True Image backup service, which naturally includes the anti-ransomware component.
Trend Micro RansomBuster goes all out, fighting ransomware on multiple fronts.
Its Folder Shield blocks modification of sensitive files, it uses behavior-based detection, and it recovers files from secure storage if necessary.
However, when I turned off Folder Shield for testing, the behavior-based detection missed several samples.
Suspenders and Belt
RansomFree is, as the name suggests, free, and when we tested it with real-world, nasty ransomware, it did yeoman service.
It's not by any means a universal solution, but it's a worthwhile addition to your general-purpose malware protection utility.
I've installed it on my main production PC, and I'd suggest you consider adding it or another free ransomware protection utility to supplement your full-scale antivirus protection.
Check Point ZoneAlarm Anti-Ransomware is our Editors' Choice for ransomware-specific security.
While it isn't free, it also isn't expensive.
It protected against all our ransomware samples and recovered files as necessary, without strewing bait files around the system.