The recent BadRabbit ransomware outbreak mostly affected people in and near Russia, not so much the US, but don't let that make you complacent. Who knows where the next attack will hit? You need protection against ransomware, and your antivirus may not be enough. Trend Micro RansomBuster offers multiple layers of protection, and it's free for both personal and business use. However, our testing shows that the layers aren't all equally effective.

RansomBuster is available as a free download, and it's also a component in Trend Micro's antivirus and security suite products. Likewise, the standalone Cybereason RansomFree is also a component of Cybereason's full-scale security suite.

Like RansomFree and Malwarebytes Anti-Ransomware Beta—which is also free—RansomBuster is meant to be used alongside your standard antivirus. Both of those products focus on detecting ransomware based on its behavior; RansomFree strews bait files in strategic locations to help with its detection, as I'll explain. RansomBuster also includes behavior-based detection, but that's just one of its skills.

If RansomBuster detects even a faint possibility of ransomware activity, it makes a secure backup of the affected files. At the point that the possibility becomes a certainty, it terminates the ransomware and uses the backup to restore any files affected during its analysis. Check Point ZoneAlarm Anti-Ransomware(19.95 Billed Annually at ZoneAlarm) restores affected files in a similar fashion.

One very simple way to keep ransomware from encrypting files in your Documents folder (or other sensitive folders) is to simply ban all modification by unauthorized programs. You use your trusted word processor or image editor just as always, but the Folder Shield component prevents access by any unknown program. Bitdefender Antivirus Plus includes a similar feature, while Panda Internet Security even bans unknowns from reading your files.

Getting Started With RansomBuster

Installation is quick and simple. After installation, the program prompts you to select which folders you want to protect. The Documents folder comes preselected by default, but don't get too wild adding more folders. You'll quickly learn that this free edition can only protect two folders. That seemed like a major limitation at first. Later, I realized that simply selecting the C:\Users folder should protect most of your important documents.

Selecting those folders is the only configuration option; this is a very simple, focused program. Once you've made that choice, RansomBuster just runs in the background, requiring no further interaction unless it encounters an attack.

Testing Folder Shield

For a quick sanity check, I launched a tiny text editor that I wrote myself. This program exists nowhere but on my test PC, so it definitely qualifies as an unknown program. I attempted to modify some text files in the Documents folder. RansomBuster quite properly reported unauthorized access, giving me the option to block that access or add the program to the trusted list. After a short while, it automatically chose the block option. The same thing happened when I tried a simple, hand-coded program that simulates encrypting ransomware behavior.

Next, I brought out the big guns—six real-world ransomware samples. Initially, things looked good. Folder Shield blocked five of the samples, while behavior-based detection caught the sixth before it could even trigger a reaction from Folder Shield. I did observe that if you accidentally choose to trust a program that turns out to be ransomware, the behavior-based detection system also ignores it. Read those notifications carefully, and only trust programs that you're sure of.

A closer look revealed that things weren't entirely hunky-dory. One of the ransomware samples encrypted a file in a folder on the Desktop before getting caught by Folder Shield, because the Desktop wasn't protected. Another encrypted a dozen files in and below the Desktop folder, and dropped ransom notes in several of them. I did observe that the affected files were types most would consider less important. They included shortcuts, Help files, log files, and a couple of CSV files. My contact at Trend Micro confirmed that those types aren't among the almost 40 file types that the behavior-based detection system tracks.

Testing Behavior-Based Detection

Folder Shield can only protect the contents of two folders, but the behavior-based detection system aims to flag ransomware-like behavior no matter where it happens. For a test specific to behavior-based detection, I disabled Folder Shield and repeated my real-world ransomware tests. The results weren't pretty.

RansomBuster did nab three of the six samples. It called one of them suspicious, and terminated it before it could take any nefarious actions. It identified the other two as ransomware, listed the files that had been encrypted, and reported successful recovery.

However, the other three samples ran rampant, encrypting files right and left and displaying their ransom notes, all without a peep from RansomBuster. Tested with these same samples, ZoneAlarm detected all six and recovered all files. ZoneAlarm's only error? In one case it reported that it failed to restore all the files, when in truth it hadn't failed.

The ransomware protection built into Acronis True Image detected all but one of the samples, restoring any affected files from its secure online backup. RansomFree also detected all but one. Malwarebytes detected them all, but in one case the ransomware encrypted a few files before being neutralized.

Mixed Results

I appreciate the fact that Trend Micro offers RansomBuster for free. I just wish it worked better. Folder Shield is effective, but in testing the behavior-based detection didn't do well. If you're a big Trend Micro fan you might consider it. But if you're a big Trend Micro fan, you probably already have this protection in your antivirus or security suite.

Our Editors' Choice for ransomware protection is ZoneAlarm Anti-Ransomware. It's not free, but at $2.99 per month it won't break the bank, and it successfully defended against all our real-world ransomware samples. The free Malwarebytes Anti-Ransomware Beta also detected all the samples, though it lost a couple files to encryption, and Cybereason RansomFree successfully detected and blocked all but one. If you want to beef up your ransomware protection beyond what's built into your antivirus, one of these utilities is a better choice.

Best Ransomware Protection Picks

• The Best Ransomware Protection for 2020
• More Ransomware Protection Reviews

Further Reading

• The State of Ransomware Attacks
• DSLR Cameras Can Be Infected With Ransomware
• Ransomware Attacks on Businesses Are Skyrocketing
• Never Give Ransomware Scammers Your Money
• Ransomware Attack Strikes Baltimore City Government