
The JadePuffer campaign flagged by researchers this month is the first publicly documented ransomware family that makes its own operational calls: it fingerprints the box, picks targets from a shared model, and only reaches for a human operator when a payment negotiation opens. That shifts the pressure point for defenders. A signature-driven antivirus that runs after files are encrypted is already too late. The best apps for ransomware protection on Windows now behave like tripwires around user directories, roll back changes when a process starts touching too many files at once, and keep an off-device backup that never sees a mounted drive.
We looked at seven Windows tools that consumers and small studios can install today, judged on real-time behaviour analysis, rollback of encrypted files, tamper protection on the security agent itself, and the honesty of the free tier.
What to look for in a ransomware protection app
Behaviour blocking is the core feature. Everything else supports it.
- Controlled folder access that treats Documents, Pictures, and Desktop as protected zones by default.
- A rollback layer that keeps shadow copies out of the reach of a process the moment it starts mass-encrypting.
- Tamper protection that stops the agent, drivers, and settings from being killed by a privileged process.
- Offline or immutable backup of the vault, not just cloud sync that mirrors encrypted files onto OneDrive.
- Independent lab scores from AV-TEST and AV-Comparatives in the last testing round, not two years old.
- A clear position on telemetry, and a working uninstaller if the trial ends.
Quick comparison
| App | Best for | Free plan | Starting price/yr | Rollback |
|---|---|---|---|---|
| Malwarebytes Premium | Adding a behaviour layer on top of Defender | 14-day trial | Annual subscription | Yes |
| Bitdefender Total Security | Top lab scores with a light footprint | 30-day trial | Annual subscription | Yes |
| ESET Smart Security Premium | Low false positives on developer machines | 30-day trial | Annual subscription | Limited |
| Kaspersky Standard | Legacy detection engine with strong heuristics | 30-day trial | Annual subscription | Yes |
| Sophos Home Premium | Managing family PCs from one console | 30-day trial | Annual subscription | Yes |
| Acronis Cyber Protect Home Office | Bundling backup with anti-ransomware | 30-day trial | Annual subscription | Yes |
| HitmanPro.Alert | Second-opinion scanner alongside your main AV | 30-day trial | Annual subscription | Yes |
The apps
1. Malwarebytes Premium
Malwarebytes Premium runs its Ransomware Protection module as a dedicated behaviour engine that watches for the two patterns JadePuffer and its predecessors share: sequential file rewrites in user folders, and rapid entropy shifts that mean an encryption stream just started. When it fires, it kills the process and rolls back changes from a local shadow. It plays well with Windows Defender if you leave Defender enabled, and its exclusion list is easy to reach when a compiler or a video encoder trips a false positive.
Where it falls short: the free version does not include the real-time layer at all, so a lapsed subscription drops you back to on-demand scans only. The rollback window is short compared with dedicated backup tools.
Pricing:
- Free: on-demand scanner only
- Paid: annual subscription, per-device tiers
Download: malwarebytes.com
Bottom line: the pick if you want a light second layer on top of Windows Defender without swapping your whole security stack.
2. Bitdefender Total Security
Bitdefender consistently posts top scores at AV-TEST and AV-Comparatives for real-world protection and low false positive rates, and its Advanced Threat Defense module scores individual processes on behaviour rather than signatures. The Ransomware Remediation feature keeps working copies of files inside protected folders, so an attack that gets past the block still rolls back cleanly. The security agent itself is well-hardened against tamper attempts, which matters when the attacker owns SYSTEM.
Where it falls short: the UI has grown into a full home-security suite, so the ransomware controls sit two menus deep. The bundled VPN caps daily traffic on the base tier.
Pricing:
- Free: 30-day full trial
- Paid: annual subscription with multi-device tiers
Download: bitdefender.com
Bottom line: the strongest all-around pick if you want one product to replace Defender rather than layer on top.
3. ESET Smart Security Premium
ESET has a long track record of low false positives on developer and creator machines, which is exactly where behaviour blockers usually misfire. Its Ransomware Shield module hooks into process launches and file operations, and the exploit blocker adds a second layer around browsers and Office apps that ransomware crews still lean on for delivery. The password manager and secure browser bundled with the premium tier are useful add-ons.
Where it falls short: rollback of encrypted files is limited compared with Bitdefender or Acronis. If a process slips through, ESET stops it but the recovery step falls back to your own backup.
Pricing:
- Free: 30-day trial
- Paid: annual subscription with multi-device tiers
Download: eset.com
Bottom line: pick ESET on a machine that runs compilers, IDEs, or creator tools all day and cannot tolerate constant false positives.
4. Kaspersky Standard
Kaspersky still runs one of the most mature detection engines in the industry, and its System Watcher module rolls back file changes when a process is flagged as malicious. It scores well in independent lab tests every cycle. The interface is calm, the default settings are sensible, and its heuristics historically catch novel ransomware families early.
Where it falls short: the political situation around Kaspersky is a real consideration for US government buyers and some enterprises; consumer use in most regions is legal but organisations should check policy. The bundled features on the Standard tier are lean compared with premium suites.
Pricing:
- Free: 30-day trial
- Paid: annual subscription
Download: kaspersky.com
Bottom line: technically strong, worth checking against local guidance before installing on a work machine.
5. Sophos Home Premium
Sophos Home was born as an enterprise product retrofitted for households, and the console keeps that DNA. From a browser dashboard you can manage protection on up to ten machines, push settings changes, and see which endpoint tripped which rule. Its CryptoGuard behaviour engine is the same code Sophos ships to enterprise customers, and it rolls back encryption when it fires.
Where it falls short: the interface on the endpoint itself is minimal by design; management lives in the cloud console. That is a plus for parents managing family PCs and a downside for anyone who wants everything local.
Pricing:
- Free: 30-day trial
- Paid: annual subscription for up to 10 devices
Download: sophos.com
Bottom line: pick this to run cover for family members on other PCs from your own dashboard.
6. Acronis Cyber Protect Home Office
Acronis is the outlier on this list because it bundles a full disk-imaging backup engine with behaviour-based anti-ransomware. That combination matters because the strongest recovery from a ransomware hit is a clean image restored from before the attack. Active Protection watches for the same suspicious file activity the others do; if a process gets flagged, Acronis restores affected files from its own backup stream rather than a Windows shadow copy.
Where it falls short: the anti-malware detection layer is not quite at the top-tier lab scores of Bitdefender or Kaspersky. The subscription includes cloud storage, which raises the price above pure-play AVs.
Pricing:
- Free: 30-day trial
- Paid: annual subscription with cloud storage tiers
Download: acronis.com
Bottom line: the pick when you want backup and anti-ransomware from one vendor and one subscription.
7. HitmanPro.Alert
HitmanPro.Alert does not replace your main antivirus. It is a second-opinion behaviour scanner from the Sophos team that focuses narrowly on exploit prevention and CryptoGuard-style rollback. That narrow scope is the point: it is small, it runs quietly next to Defender or a paid suite, and it will fire when a novel ransomware family evades the primary layer.
Where it falls short: on its own it is not a full antivirus. The interface is spartan and aimed at technical users. Reporting is minimal, which is fine as a supplement and awkward if it is the only tool.
Pricing:
- Free: 30-day trial
- Paid: annual subscription per device
Download: hitmanpro.com
Bottom line: the sidecar pick for a technical user who already runs a main AV and wants an independent behavioural layer.
How to pick the right one
- If you want the lightest add-on to Windows Defender: Malwarebytes Premium.
- If you want one product to replace Defender: Bitdefender Total Security.
- If your PC runs compilers or creator tools that trip most AVs: ESET Smart Security Premium.
- If you want backup and ransomware protection in one subscription: Acronis Cyber Protect Home Office.
- If you manage several family PCs: Sophos Home Premium.
- If you want a paranoid second layer on top of your main AV: HitmanPro.Alert.
- If you already run a strong AV, budget matters, and you like the detection engine: Kaspersky Standard, subject to local guidance.
FAQ
Is Windows Defender enough against modern ransomware?
Defender has closed the gap considerably and now includes Controlled Folder Access. On its own it is a real defence, but every autonomous ransomware family in the last two years has been observed evading at least one endpoint product on first release. A second behavioural layer, or a full replacement AV, materially raises the bar.
Does anti-ransomware slow down gaming or heavy workloads?
The mainstream suites (Bitdefender, ESET, Kaspersky) all ship gaming or silent modes that pause scans while a full-screen app runs. Behaviour blockers add negligible CPU cost. Disk-imaging backup during a scheduled window is the main workload cost.
Can ransomware get past all of these tools?
Any behaviour-blocking layer can be bypassed if the attacker gets SYSTEM early enough. That is why rollback, immutable backups, and offline copies matter as much as detection. Treat the security agent as one control among three: prevention, rollback, and cold backup.
What is different about autonomous ransomware like JadePuffer?
Traditional ransomware needed a human operator to pick targets and negotiate. Autonomous families use a local model to fingerprint the environment, prioritise files, and time the encryption, which shrinks the window between initial access and encryption. Faster detection loops and pre-attack rollback matter more against this class.
Should I pay the ransom if I get hit?
Public guidance from the FBI, NCSC, and every major DFIR firm is not to pay. Payment funds the next campaign, does not guarantee decryption, and does not restore evidence needed for insurance or law enforcement. Restore from a clean offline backup instead.