How Emsisoft prevents ransomware attacks

Emsisoft is a global leader when it comes to combating ransomware. We’re an Associate Partner of the No More Ransom Project. Our free decryptor tools have saved ransomware victims hundreds of millions of dollars in ransom payments.

We also recognize that stopping ransomware starts with protecting the user. That’s why our protection solutions feature a range of ransomware-specific technologies that work in synergy to reliably detect ransomware before it can encrypt your files. This is particularly important now that backups are no longer the ransomware panacea they once were, thanks to the rise of double extortion

In this blog post, we’ll explore Emsisoft’s ransomware protection layers and how they work to protect our users from both known and unknown ransomware families.

1. Signature-based detection

In the digital world, all objects have specific attributes that can be used to create a unique digital signature. When an object is identified as malicious, its signature is added to a database of known malware, which cybersecurity companies use to detect potential threats. When your Emsisoft protection solution comes across a file on your system with a signature that matches a known malicious signature, the file is flagged as a threat and blocked.

Our signature databases are constantly being updated to ensure our users are protected against emerging threats. Thanks to our intelligence-gathering networks and exclusive partnership with ID Ransomware, we’re often among the first in the industry to provide signature-based detection for new ransomware variants.

2. Anti-Ransomware behavior-based detection

While signature-based detection is excellent at stopping known ransomware, it is unable to detect new ransomware variants that have never before been seen in the wild (and therefore don’t exist in any signature database).

This is where behavior-based detection comes in. Behavior-based detection, such as Emsisoft’s Behavior Blocker, works by detecting unusual patterns of behavior and stopping suspicious programs before they can make any changes to your system. Our Behavior Blocker includes a dedicated Anti-Ransomware layer that looks for ransomware-specific behavior and stops threats before they can encrypt the first file. There are many actions or combinations of actions that could indicate the presence of ransomware, including the encryption of a large number of files, the dropping of ransom notes, attempts to encrypt or delete backups and more.

Because there are only a certain number of ways malware can behave, the Behavior Blocker can reliably detect almost any type of malware, even without receiving frequent online updates.

3. Exploit detection

The ransomware attack chain often begins with the exploitation of security vulnerabilities in your operating system or software. After the initial compromise, bad actors typically deploy reconnaissance malware to learn more about the target environment, spread laterally and steal sensitive data before deploying the ransomware in the final phase of the attack.

Emsisoft’s exploit detection systems interrupt the attack chain before bad actors can gain a stranglehold on your system. It achieves this by preventing exploits from injecting code into foreign programs to execute harmful payloads and reducing the attack surfaces of commonly targeted applications (e.g. preventing Microsoft Office from being able to execute dangerous PowerShell scripts). Exploit detection ensures that ransomware is detected and blocked in the early stages of the attack, regardless of the infection method, be it email, RDP or unpatched vulnerabilities.

4. Password protection

Ransomware is typically deployed some days, weeks or even months after the target system has been compromised. Attackers use this time to perform reconnaissance, establish a stronger foothold and prepare the target environment to maximize the impact of the attack. Part of this process involves disabling security processes, which ensures that the ransomware will be able to operate undetected and unimpeded when it is finally deployed.

Emsisoft solutions feature an authentication system that prevents threat actors from deactivating your antivirus software. Once an administrator password has been set, users will be prompted to enter the password any time they try to disable or configure our software. In this way, threat actors are unable to shut down our security software – even if they’ve managed to gain unauthorized access to your network.

While admin passwords can be set locally on endpoints, we strongly recommend using the Emsisoft Management Console. See this blog post for more information.

5. RDP attack alert system

RDP is one of the most common ransomware attack vectors. During an RDP-based attack, threat actors typically scan for Internet-exposed RDP ports and attempt to gain access to the system using brute-force tools. Once the account has been compromised, the attacker can do anything within the hacked account’s privileges.

Emsisoft solutions help prevent RDP attackers by monitoring the RDP service in real-time. When multiple failed login attempts are detected, our RDP attack alert system notifies administrators, who can investigate and decide whether to disable RDP on the affected device. The RDP service status can be easily viewed within the Emsisoft Management Console.

See this blog post for more information on how to secure RDP.


Emsisoft solutions feature multiple layers of ransomware-specific technologies that work together to detect and stop ransomware before it can encrypt your files.

It is important to note that this article only discusses Emsisoft’s ransomware-specific technologies and does not include all of the other protection layers found in our software – many of which can also directly or indirectly reduce the risk of ransomware infection. See this blog post for a full rundown of all the layered security elements in our protection software.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial




Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next