You’re a home or small business user and a dialogue box has just appeared telling you that your Windows PC's files are now encrypted and you have 48 hours to pay £350 ($500) in Bitcoins to get them back. Fail to meet that deadline and the price will rise.
Crypto ransomware targeting Windows turned into a mass phenomenon about five years ago. And by the time you saw the ransom demand, it was too late to pull the plug on the PC to stop further compromise. Your only option was to haul out backups, assuming you had them.
Today, the situation has improved a bit, although the right kind of backups (see below) is still the number one defence. Today’s antivirus programs are now better tuned to block ransomware, usually by watching for the actions of specific variants while a few even claim they can clean up the mess after the fact. This the second priority – making sure that the system is free of infection before reinstating data.
Beyond that, it’s about preparing better defences for future attacks which might be easier than some assume. Although ransom malware almost always uses unbreakable public key encryption to lock files, the number of variants is relatively small at any one time. It is possible that a security programme can be tuned to spot the most active ransomware by watching for known behaviour such as interacting with the filesystem
This article lists the small but slowly growing list of dedicated tools that can be used to achieve clean-up, detection and even – in a very small number of specific cases – decryption.
Our top picks are:
Obviously, no product can offer 100 percent ransomware removal, not even a fraction of that if we're honest. Businesses and individuals should still operate carefully online, abide by a security best practice and back up their data. But a lot of them will help protect your systems and help you recover as fast as possible with minimal damage to your systems and networks.
It needs to be underlined in bold that competent backup is still the single most important defence against ransomware. Without that on hand, simply removing the infection is just a way of getting back the system, not the data that was on it.
Anti-ransomware Tools - Overview
Ransomware clean-up tools are one of three types. Number one are disinfection tools for PCs that need to be certified clean before data is restored after an incident, a feature that is integrated into a small number of mainstream anti-virus programmes. A second rarer category will help with decryption of specific ransomware attacks although these tend to be very limited and depend on researchers recovering individual key databases after police action against the criminals. A third are protection tools, not strictly clean-up but interesting all the same. These use behavioural analysis to spot the sorts of events that suggest ransomware is on a system and intercept it before it can do any damage.
Disinfection tools are aimed at consumers on the assumption that businesses and larger organisations have other ways of dealing with malware infection, usually by wiping the infected machine and reinstalling the operating system. That is an option for technically-confident consumers too although it is a lot more time consuming and might not be convenient.
Most tools are usually free. A number of alternatives are available that scan for infection before asking for a fee to perform removal. We ignored these products - the idea of paying to remove something that can be removed for nothing using other products strikes us as a bad deal.
We didn’t test the effectiveness of tools against real ransomware samples. Such a test would be incredibly difficult to conduct and, of course, some of the tools are also specific to particular ransomware campaigns that ran in the recent past and might no longer be active. If you’re been affected by ransomware, this list is still a good place to start researching clean-up and prevention.
IMPORTANT: before using any removal utility record the Bitcoin wallet address used to demand payment and, if possible, the filelist of encrypted data. Both of these should be visible in the ransomware screen. Doing this will give the user a chance of recovering encrypted files (see below) should the private keys used by the criminals are discovered by researchers at some point in the future.
Best ransomware removal tools 2017
1. AVG ransomware decryption tools
With the tagline 'Hit by ransomware? Don’t pay the ransom!', you'd expect a lot from AVG's decryption tools. And it does seem to deliver.
AVG provides decryption tools for a variety of ransomware, while also offering lots of resources and guides to walk you through a typical ransomware attack (depending on the type of ransomware, of course)
Here are AVG's decryption tools:
2. Trend Micro Lock Screen Ransomware Tool
Trend Micro’s tool is designed to detect and rid a victim of 'lock screen' ransomware, a type of malware that blocks users from accessing their PC or systems, and like with all ransomware, attempts to force the victim to pay to get their data back.
Trend Micro lays out two situations in which its tool will be effective. Firstly, when your PC's normal mode is blocked, but its 'safe mode' is still accessible and secondly when lock screen ransomware is blocking both 'normal mode' and 'safe mode'.
In the first scenario, users are required to install the software using keyboard sequence after bypassing the malware by booting the PC into safe mode. The screen should then appear offering a scan and clean option followed by a reboot.
In the second scenario, where safe mode is impossible to access, Trend Micro allows its removal tool to be loaded onto a USB drive using an uninfected computer and executed from there during a boot.
3. Avast anti-ransomware tools
Not all ransomware are the same or work in the same way. In fact, in most cases, you'll have to find a decryptor that is specifically made for a certain type of ransomware.
All of Avast's decryptors are free and check for viruses at the same time.
Additionally, Avast provides an installation and decryption wizard. It will then ask you for two copies of your files, one encrypted and one not in order to compare and determine the password. This is much quicker if you've got backups, but if not Avast will recommend locations on your system that uninfected files may be.
4. BitDefender Anti-ransomware
BitDefender’s tool is intended to act as a protection against being infected by CTB-Locker, Locky, Petya, and TeslaCrypt ransomware.
The company doesn’t explain how the program works but once loaded it should detect an infection as it commences, stopping it before any files are encrypted. The splash screen is clean and basic in feel, featuring a section that stops executables from running from certain locations and an option to turn on protection from boot. The company emphasises that the program is not intended as a replacement for antivirus but should be used in conjunction with it.
5. Kaspersky anti-ransomware tool
Kaspersky's tool is designed for small to medium sized businesses and like Bitdefender, it comes with a tool to prevent ransomware attacks before they demobilise your systems.
Kaspersky's anti-ransomware tool will run along in the background and monitor network activity for anything that matches known ransomware behaviour or patterns. This tool is ideal for businesses as it is free for commercial use and simple to navigate while also offering a good level of protection.
However, it can be quite simplistic, only offers preventative protection.
6. Malwarebytes anti-ransomware (formerly CryptoMonitor)
Previously one of the most dedicated utilities out there, CryptoMonitor was another real-time protection product that used two techniques to do its job, ‘entrapment’ and ‘count protection’.
CryptoMonitor was acquired by Malwarebytes and was as a result renamed Malwarebytes anti-ransomware. The idea is that it prevents ransomware from actually encrypting your computer's files in the first place.
Like many products listed Malwarebytes will run in the background and monitor activity on your network to determine suspicious patterns.
7. Kaspersky Lab decryptors
Kaspersky Lab hosts a wide range of decryptors claiming to decrypt lots of nasty types of ransomware. We've listed them with the ransomware they can decrypt. All listed are free and can be downloaded here.
Decrypts files affected by Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman and Dharma ransomware.
Decrypts files affected by Rannoh, AutoIt, Fury, Cryakl, Crybola, CryptXXX (versions 1, 2 and 3) and Polyglot.
Decripts file infected with Wildfire ransomware, which previously infected large groups in Holland and Belgium.
Created in cooperation with The National High Tech Crime Unit (NHTCU) in the Netherlands, the CoinVault decryptor decrypts files affected by CoinVault and Bitcryptor ransomware.
Decrypts files affected by Shade version 1 and 2.