RansomFree: protect your PC against ransomware

Martin Brinkmann
Dec 20, 2016
Updated • May 22, 2018

RansomFree is a new free program for the Microsoft Windows operating system to protect your PC against ransomware attacks.

The program is fully compatible with 32-bit and 64-bit versions of Windows 7 and newer, as well as  Windows server operating systems.

RansomFree needs to be installed on the target machine. The protection that it adds to the system is interesting, as it creates a number of files on the system that it monitors for changes.

These files use characters that place them at the top of the directory structure. The idea is that ransomware will parse for files using the same structure so that the created files will be targeted first by the attack.

The company behind the product believes that this is the best proactive way to detect ransomware on a PC at the earliest.


The folder name at the very least seems to be randomized during creation, and this is probably also the case for the files that are placed inside the folders the program creates.

Ransomfree places popular file formats, docx, doc, sql, xls and so on in the folder which are often targeted by ransomware attacks as they are - usually -- personal or work related.

Cybereason researched more than 40 ransomware strains, including Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber and identified the behavioral patterns that distinguish ransomware from legitimate applications. Whether a criminal group or nation created the program, all ransomware functions the same way and encrypts as many files as possible. These programs can’t determine what files are important so they encrypt everything based on file extensions.

The Ransomfree process runs in the background, and monitors the folder and files for changes. It will block any process that modifies folders or files that it monitors.

So, the theory is that it can block ransomware from infecting "real" files on the system through the use of honeypots. If that is really the case depends largely on the ransomware and how it operates.

The guys over at Bleeping Computer tested the security program against a limited set of ransomware -- Locky, Cerber and Globe -- and the program managed to stop the attacks dead in their track.

CyberReason, the company that is behind for RansomFree states that the program protects against more than 40 different ransomware families including stand-alone ransomware programs as well as so-called file-less ransomware which uses vulnerabilities and legitimate Windows tools such as PowerShell to carry out attacks.

The program supports detection on local drives but also on network drives.

Cyberreason created a demonstration video that shows how RansomFree operates

Closing Words

Security companies left and right started to create anti-ransomware solutions to better protect PCs against ransomware threats. The methods they use differ and so does their effectiveness. It is best to complement anti-ransomware tools with other means including backup creation and resident security solutions such as a properly configured firewall.

software image
Author Rating
3.5 based on 6 votes
Software Name
Operating System
Software Category
Landing Page

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Munak said on June 4, 2018 at 1:57 pm

    “These programs can’t determine what files are important so they encrypt everything based on file extensions.”

    I imagine that’s true, but I also imagine they could find important files based on many other factors, such as location, size, and system history info.

    Also, if these programs just target file extensions, then I could just change my file extensions, such as from somedumbmovie.mkv to somedumbmovie.phrak..

    This trick at least works for video as the file still plays in VLC and such. Regardless, I imagine most ransomware would not be fooled by this method, but IDK.

  2. Marc Soersken said on January 20, 2017 at 12:39 pm

    We’re using this software on our server to
    detect and block ransomware.
    The tool is freeware and available in german and english.
    You’ll find it here. Needs .net 3.5


  3. Adrian Kentleton said on December 31, 2016 at 12:10 pm

    I am concerned it is regularly connecting to the internet. Why? Will it not work unless that is allowed? I have blocked it via my firewall.

  4. Peter O said on December 21, 2016 at 5:25 am

    Not a sufficiently well researched article on this new program to persuade us that it’s genuinely effective & safe compared to other options.

  5. Av-Gurus said on December 21, 2016 at 12:10 am

    Doesn’t protect others drive then C:
    Tested that and files on drive D: get encrypted.

  6. Haakon said on December 20, 2016 at 7:14 pm

    I’m not seeing the “constantly connected” reported by clas.

    Every ten minutes cybereasonservicehost.exe connects for a 4.5kb exchange to s3-1.amazonaws.com or an IP in Amazon’s and CIDRs. (Remote points may differ depending on user local.)

    • My concern is Cybereason’s use of two unsigned Amazon libraries, AWSSDK.S3.dll and AWSSDK.Core.dll. And RestSharp.dll from the “RestSharp Community,” also unsigned.

    Otherwise, a wait-and-see on my Win10 test box.

    Looks promising if it can play well with others in a primary/layered schema (i.e. with Bitdefender Internet Security and WinPatrol WAR.)

    Thanks Martin!

    1. Haakon said on December 20, 2016 at 8:39 pm

      Forgot to mention: Cybereasons’ libraries are signed SHA-1 but FWIW Symantec.

  7. clas said on December 20, 2016 at 2:17 pm

    hi martin. as much as i like the premise of this program, after reading its disclaimers, i find that it is constantly connected in real time to its own servers monitoring my computer. to me that seems like its a spyware itself…watching everything i do and recording it. so for now, until i learn more about it, i will stick with the standard stuff, always sandboxed and somewhat reasonable in what i do.
    as always, thanks for the info. clas

  8. J0J0 said on December 20, 2016 at 12:07 pm

    Am I dreaming, or did my comment accidently [] vaporize? =l

  9. Karol said on December 20, 2016 at 11:33 am

    Isn’t enough using Sandboxie and a firewall with HIPS?

    1. J0J0 said on December 21, 2016 at 7:30 am

      Question :
      how does it go exactly, with ‘sandboxie’ (haven’tused such b4) I just install i, then choose to run chrome/ff on it and it’ll basically provide me that desired safe environment?
      Does it affect performance, at all??
      I already got slowness issues due to old & low specs, can’t afford anymore slowness on my pc :l
      Other than that, i do use common sense as much as possible =)

    2. DVDRambo said on December 21, 2016 at 6:01 am

      Yes. It is enough with today’s technology. I’ve used Sandboxie on six computers for over five years. It has contained all forms of malware that was picked up unknowingly on the web and webmail. When it is locked up, a hard shutdown and restart brings back a clean system. I set Sandboxie to always delete the sandbox, and use ccleaner as a backup cleaner. Sandboxie is awesome, it just has to be used all the time. With the paid version I have Chrome and Opera sandbox automatically. Only Edge really can’t be fully Sandboxed.

  10. Jojo said on December 20, 2016 at 9:46 am

    This will work until the rasomware companies add the honeypot files to their exclude lists. Of course, they own copies of software like this.

    1. Martin Brinkmann said on December 20, 2016 at 1:33 pm

      Right, the question is, will they put in the effort to bypass this security program that is probably only going to get installed on thousands of PCs? I can see them doing this for widely spread software but probably not for something unless it becomes a hit.

    2. Tom Hawack said on December 20, 2016 at 12:33 pm

      I think a major point is the one the article starts with,
      “The folder name at the very least seems to be randomized during creation, and this is probably also the case for the files that are placed inside the folders the program creates.”

      From there on, cat and mouse will continue the battle.

      At this time I’m relying on HitmanPro.Alert to keep the machine protected from cryptoware as well as other intruders.


  11. Jojo said on December 20, 2016 at 9:14 am

    8200 Whoot! Whoot!!
    P.S. Would you recommend all to use it Martin?

    1. Martin Brinkmann said on December 20, 2016 at 1:32 pm

      I don’t think it is necessary if you have a proper security setup and use common sense. But your Uncle Jim, whose computer seems to get infected with ransomware every other week or so, he may benefit from it.

      1. rob said on May 11, 2020 at 10:23 am

        Sir,, your review is very dated. ransomfree not avail, Litschi- no english.. you seem to completely miss the detail that all ransomware must call home for the payload. firewalls seen able to stop the request unless given permission. these omissions cause all of you reviewers to look like promoter/shills. am I missing something??? a big problem is- the firewalls don’t supply the source info for the file.
        thanks for your efforts.

      2. Jack Alexander said on December 21, 2016 at 7:12 am

        On my machine I have SyncBackFree and it is set to backup myDocuments at 5 am every day. This program prevents that from happening as well as a manual back-up. I recommend BitDefender Anti-Ransomeware. I haven’t noticed if it has any other bad effects on other programs. I removed it and put BitDefender back in.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.