You're a home or small business user and a dialogue box has just appeared telling you that your Windows PC's files are now encrypted and you have 48 hours to pay £350 ($500) in Bitcoins to get them back. Fail to meet that deadline and the price will rise.

Now what?

Image: © iStock/Zephyr18
Image: © iStock/Zephyr18

Crypto ransomware targeting Windows turned into a mass phenomenon about five years ago. And by the time you saw the ransom demand, it was too late to pull the plug on the PC to stop further compromise. Your only option was to haul out backups, assuming you had them. And the outbreak of WannaCry/NotPetya showed the world the damage highly distributed ransomware could do: shutting down businesses throughout the world and even parts of the NHS. 

Today, the situation has improved a bit, although having the right kind of backups is still the number one defence.

Today's antivirus programs are now better tuned to block ransomware, usually by watching for the actions of specific variants while a few even claim they can clean up the mess after the fact. This the second priority – making sure that the system is free of infection before reinstating data.

Beyond that, it's about preparing better defences for future attacks which might be easier than some assume. Although ransom malware almost always uses unbreakable public key encryption to lock files, the number of variants is relatively small at any one time. It is possible that a security programme can be tuned to spot the most active ransomware by watching for known behaviour such as interacting with the filesystem.

This article lists the small but slowly growing list of dedicated tools that can be used to achieve clean-up, detection and even – in a very small number of specific cases – decryption. 

Our top picks are:

Obviously, no product can offer 100 percent ransomware removal, not even a fraction of that if we're honest. Businesses and individuals should still operate carefully online, abide by a security best practice and back up data. But a lot of them will help protect your systems and help you recover as fast as possible with minimal damage to your systems and networks. 

It needs to be underlined in bold that competent backup is still the single most important defence against ransomware. Without that on hand, simply removing the infection is just a way of getting back the system, not the data that was on it. And we'll also underline in bold that no matter how tempted you might be to pay the ransom, it's no guarantee that you'll get any of your data back - or that the promised data is still being held for you to buy at all. 

 Anti-ransomware Tools - Overview

Ransomware clean-up tools are one of three types. Number one are disinfection tools for PCs that need to be certified clean before data is restored after an incident, a feature that is integrated into a number of mainstream anti-virus programmes.

A second category will help with decryption of specific ransomware attacks although these tend to be very limited and depend on researchers recovering individual key databases after police action against the criminals. More and more vendors are teaming up to make decryption tools available for free, and McAfee has released a framework as part of the No More Ransom so that if you are a security researcher that's made a breakthrough in decryption for a ransomware variant, you can build it into the framework quickly.

A third are protection tools, not strictly clean-up but interesting all the same. 

These use behavioural analysis to spot the sorts of events that suggest ransomware is on a system and intercept it before it can do any damage.

Disinfection tools are aimed at consumers on the assumption that businesses and larger organisations have other ways of dealing with malware infection, usually by wiping the infected machine and reinstalling the operating system. That is an option for technically-confident consumers too although it is a lot more time consuming and might not be convenient.

Paid alternatives

Most tools are usually free. A number of alternatives are available that scan for infection before asking for a fee to perform removal. We ignored these products - the idea of paying to remove something that can be removed for nothing using other products strikes us as a bad deal.

We didn't test the effectiveness of tools against real ransomware samples. Such a test would be incredibly difficult to conduct and, of course, some of the tools are also specific to particular ransomware campaigns that ran in the recent past and might no longer be active. If you're been affected by ransomware, this list is still a good place to start researching clean-up and prevention.

IMPORTANT: before using any removal utility record the Bitcoin wallet address used to demand payment and, if possible, the filelist of encrypted data. Both of these should be visible in the ransomware screen. Doing this will give the user a chance of recovering encrypted files (see below) should the private keys used by the criminals are discovered by researchers at some point in the future. If there are any more details available, such as email addresses, URLs or associated TOR network/onion addresses, jot these down too, as it might help you (or ransomware researchers) if you submit a report.

Best ransomware removal tools 2018

1. Trend Micro Lock Screen Ransomware Tool

Trend Micro's tool is designed to detect and rid a victim of 'lock screen' ransomware, a type of malware that blocks users from accessing their PC or systems, and like with all ransomware, attempts to force the victim to pay to get their data back.

Trend Micro lays out two situations in which its tool will be effective. Firstly, when your PC's normal mode is blocked, but its 'safe mode' is still accessible and secondly when lock screen ransomware is blocking both 'normal mode' and 'safe mode'. 

In the first scenario, users are required to install the software using keyboard sequence after bypassing the malware by booting the PC into safe mode. The screen should then appear offering a scan and clean option followed by a reboot.

In the second scenario, where safe mode is impossible to access, Trend Micro allows its removal tool to be loaded onto a USB drive using an uninfected computer and executed from there during a boot.

Download here.

Trend Micro has built on its lock-screen protector with the Ransomware File Decryptor. Now, while it won’t be guaranteed to get your files back, it does work with ten families of ransomware. These are:

CryptXXX V1, V2, and V3, TeslaCrypt V1, V2, V3, V4 TeslaCrypt V2, SNSLocker, AutoLocky, BadBlock, 777, XORIST, XORBAT, and CERBER.

Download the File Decryptor for free here

2. Avast anti-ransomware tools

Not all ransomware are the same or work in the same way. In fact, in most cases, you'll have to find a decryptor that is specifically made for a certain type of ransomware. 

Avast provides 21, which are listed here.

All of Avast's decryptors are free and check for viruses at the same time.

Additionally, Avast provides an installation and decryption wizard. It will then ask you for two copies of your files, one encrypted and one not in order to compare and determine the password. This is much quicker if you've got backups, but if not Avast will recommend locations on your system that uninfected files may be.

Download here.

3. BitDefender Anti-ransomware

BitDefender's tool is intended to act as a protection against being infected by CTB-Locker, Locky, Petya, and TeslaCrypt ransomware

The company doesn't explain how the program works but once loaded it should detect an infection as it commences, stopping it before any files are encrypted. The splash screen is clean and basic in feel, featuring a section that stops executables from running from certain locations and an option to turn on protection from boot. The company emphasises that the program is not intended as a replacement for antivirus but should be used in conjunction with it.

Download here.

BitDefender now offers a few extra decryption tools for getting your files back. It offers tools for Annabelle, BTCWare, and GandCrab, plus a tool to help you figure out which family or sub-version of ransomware has encrypted your data. Get the recognition tool here, and head here for the actual decryptors

4. Kaspersky anti-ransomware tool

Kaspersky's tool is designed for small to medium sized businesses and like Bitdefender, it comes with a tool to prevent ransomware attacks before they demobilise your systems. 

Kaspersky's anti-ransomware tool will run along in the background and monitor network activity for anything that matches known ransomware behaviour or patterns. This tool is ideal for businesses as it is free for commercial use and simple to navigate while also offering a good level of protection. Kaspersky also provides a number of decryptors (see point 7, below).

Download here.

5. AVG ransomware decryption tools

With the tagline 'Hit by ransomware? Don't pay the ransom!', you'd expect a lot from AVG's decryption tools. And it does seem to deliver. 

AVG provides decryption tools for a variety of ransomware, while also offering lots of resources and guides to walk you through a typical ransomware attack (depending on the type of ransomware, of course).

Here are AVG's decryption tools:

Take a look and download here.

6. Malwarebytes anti-ransomware (formerly CryptoMonitor)

Previously one of the most dedicated utilities out there, CryptoMonitor was another real-time protection product that used two techniques to do its job, 'entrapment' and 'count protection'.

CryptoMonitor was acquired by Malwarebytes and was as a result renamed Malwarebytes anti-ransomware. The idea is that it prevents ransomware from actually encrypting your computer's files in the first place. 

Like many products listed Malwarebytes will run in the background and monitor activity on your network to determine suspicious patterns. 

Download here.

7. Kaspersky Lab decryptors

Kaspersky Lab hosts a wide range of decryptors claiming to decrypt lots of nasty types of ransomware. We've listed them with the ransomware they can decrypt. All listed are free and can be downloaded here.

Rakhni Decryptor

Decrypts files affected by Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman and Dharma ransomware.

Rannoh Decryptor

Decrypts files affected by Rannoh, AutoIt, Fury, Cryakl, Crybola, CryptXXX (versions 1, 2 and 3) and Polyglot.

Wildfire Decryptor

Decrypts file infected with Wildfire ransomware, which previously infected large groups in Holland and Belgium.

CoinVault decryptor

Created in cooperation with The National High Tech Crime Unit (NHTCU) in the Netherlands, the CoinVault decryptor decrypts files affected by CoinVault and Bitcryptor ransomware.

Shade Decryptor

Decrypts files affected by Shade version 1 and 2.

Take a look and download here.

8. Webroot SecureAnywhere Antivirus

Webroot SecureAnywhere Antivirus uses behaviour-based tracking to detect any suspicious activities and decrypt infected files if you become compromised during a ransomware attack. 

And while this product is an antivirus first, its added ransomware protection and built-in firewall means you'll get a pretty neat package. 

Webroot works by keeping a large database of known threats and queries that database when monitoring programs. Basically, if the program is safe, it will take no action but if not, it will attempt to clean your machine of it. It's not free though, with three subscription models available.

9. McAfee Ransomware Interceptor review

McAfee is a well-known and trusted security brand, and its ransomware protection follows suit.

McAfee Ransomware Interceptor review is excellent at blocking ransomware in real-time and also adapting to new strains of ransomware.

It can raise a few false detections, which is a bit annoying, but nothing to worry about, really. Better for it to be over-cautious than miss a deadly threat. 

This product is still in 'pilot' and now has detection features for finding the infamous WannaCry  malware. 

In addition to its defence tool, McAfee now offers the Ransomware Recover framework, for free. It might not be particularly useful for the average user but for security professionals, it will allow you to apply decryption keys and logic for a family without having to develop a new framework for it. You can download it here

10. No More Ransom

A special mention should go to the No More Ransom joint initiative that has enlisted various vendors and the expertise of Europol to deliver a consumer-facing anti-ransomware page. 

A joint project between Europol, Politie, Kaspersky and McAfee, No More Ransom offers ransomware advice plus a 'Crypto Sheriff' tool that means you can fill out a form for bitcoin or TOR onion network addresses, website URLs, and emails from the ransom demand, as well as the ability to upload encrypted files. No More Ransom will then try to check if there’s a solution available, and if so, it will point the user towards the tool that might be able to help.

As well as the vendors listed, other partners include Eleven Paths, which provides decryptors for SKrYPtEd and Popcorn.  

Polish emergency response team CERT Polska meanwhile a couple of decryptors available on its website as part of the No More Ransom project – one for Cryptomix and one for Mole. You can find the instruction PDFs and the actual decryptors on the CERT Polska website here