Editors' Note: Shortly after we published this review, Data443 Ransomware Recovery Manager was pulled from the market. If it becomes available again, we will retest it and update this review accordingly.
When something catastrophic happens, you may wish you could roll back time to before the event and prevent it. It doesn’t work in real life, but with Data443 Ransomware Recovery Manager (formerly offered as SmartShield Home), you can come close. When you reboot, it restores your PC to a previous malware-free state, wiping out any changes except your own documents, pictures, and so on. Of course, this tool can’t claw back any data that malware already exfiltrated from your system—it only reverts your PC, not the outside world. Also, malicious changes in folders you've exempted from its ministrations can't always be reversed, though it does its best to reverse the effects of ransomware. Unfortunately, that ransomware protection didn’t prove out in our hands-on testing.
How Much Does Data443 Cost?
At one time I tracked 10 distinct ransomware-specific security utilities, half of them entirely free. That field has shrunk considerably, and the survivors all charge for their services.
With most security products you pay an annual subscription fee. Some offer a monthly subscription, good for short-term use but more expensive over the course of a year. Data443 Ransomware Recovery Manager goes for $6.25 per quarter, or $25 per year. There’s no volume discount; if you want five installations, you pay the price five times.
A single license for ZoneAlarm Anti-Ransomware will run you $34.95 per year, about $10 more, but if you need multiple installations, ZoneAlarm is cheaper. The three-license price of $44.95 per year comes out to just under $15 per license. And at $94.95 for 10 licenses, each installation costs just $9.50.
NeuShield Data Sentinel costs slightly less than Data443 Ransomware Recovery Manager, $23.99 per year. As with ZoneAlarm, the per-device price drops with volume discounts. You pay $59.99 for three licenses or $79.99 for five.
At just $15 per year, CryptoPrevent Premium seems less expensive than the rest. However, it, too, doesn’t offer volume discounts, so its low-price leadership dwindles as you add more devices to protect. In addition, it fared very poorly in our testing.
I should note that you have the option to bundle Data443 Antivirus Protection Manager with your purchase for $24 per year (no quarterly pricing here). However, this antivirus is a licensed product, not a creation of Data443. In this review I’ll focus strictly on the ransomware protection utility.
Getting Started With Data443
Before you even think about installing Data443 Ransomware Recovery Manager, you absolutely must make sure that you're starting with a clean PC. Otherwise, this tool’s rollback-on-reboot feature will roll you back to an infested state. Even if you have antivirus protection installed (and you should!), consider getting a second opinion by scanning with a free cleanup-only tool such as Malwarebytes Free.
Note, too, that this product strictly supports Windows 10 and Windows 11. No antique operating systems need apply.
On my test system, the installer made a point of bringing in some prerequisites, files related to Microsoft’s .NET framework. You’ll create a passphrase during installation, one that you’ll have to enter every time you turn protection on or off. I won’t fault you if you choose the minimum length, three characters.
When the installation finishes, you must reboot. As you’ll see, this is the first of many times you’ll reboot the system.
Your new installation necessarily starts off disabled. Before enabling protection, you should take care of some configuration business. Click Manage to view the list of Working Folders. Files in these folders aren’t affected when you reboot back to a previous state (I’ll explain further below). Most users should just click Add Defaults, which populates the list with Desktop, Documents, Favorites, Music, and Pictures for each user account. If you store your work in other locations, add those too. Click Save when done.
Now you’re ready to turn on protection. Click the large, red Data443 icon, enter your passphrase, and reboot. When it comes back, that icon will be green, and you’ll be protected.
How Data443 Works
When Data443 Ransomware Recovery Manager is enabled, it virtualizes all changes to the file system and Registry. Programs don’t know the difference. They work just as they would without it. However, when you reboot, all those changes vanish. At the core, it's as simple as that.
Of course, if you just finished editing a totally brilliant viral video, only to have it vanish on reboot, you wouldn't be too happy. That's the point of defining Working Folders; files you save in these folders don’t get discarded.
You may have used a commercial version of this product (or one of its predecessors) without realizing it. Did you ever use a public computer kiosk in a hotel lobby to do some task such as print your boarding pass? Many of those kiosks—two million of them, according to the company—are automatically sanitized after use by the commercial version. Libraries are another big venue. The company has received a US patent for this technology.
Change Your Habits
When you rely on Data443 Ransomware Recovery Manager for protection, you must remember that it performs its Groundhog Day magic only when you reboot the computer. If the PC just goes into sleep mode, there’s no cleanup. Also, protected backups of files in your Working Folders continue to accumulate until the next reboot. As my contact at Data443 explained, “While a reboot periodically will help with reducing the number of files that accumulate to be restored, it is not as critical as it was in the past.”
Installing new software on a protected system is a multi-step process. First, disable protection and reboot. Second, install the software. Third, re-enable protection and reboot again. You go through a similar process to install Windows updates.
Note, too, that your browsers and other programs often ask to install updates for security or improved features. Your best bet is to set aside some time every week to make sure everything gets necessary updates. Disable Data443 Ransomware Recovery Manager and reboot. Launch your browsers and make sure they get any needed updates. Check browser extensions, as they, too, get updates. Many programs include a menu item to check for updates; find and click all those.
During this update-fest, don't do anything else on the computer that might expose you to malware. Don't visit websites. Don't check email. Don't plug in any USB drives. Do nothing but install updates. When you're done, enable Data443 Ransomware Recovery Manager and reboot. Once you get used to this regimen, it shouldn't take long.
What About Your Antivirus?
You could rely entirely on Data443 Ransomware Recovery Manager for malware protection, figuring that a reboot will discard any infestation, but that’s an iffy proposition. If a Trojan is sitting in the background siphoning off your personal data or manipulating your financial transactions, you may not know you need to reboot. The same is true if you have a bot waiting for instructions from its command and control server. Without real-time antivirus protection, malware could own your computer, right up to the moment you reboot. Using this product alongside a more mainstream antivirus makes sense.
But there’s a problem. Modern antivirus programs include techniques like heuristic analysis and behavior-based detection to catch the wiliest malware, but most still include a simple, signature-based detection system, to handle the simple-minded malware that’s still making the rounds. That means they rely on signature updates that come in anywhere from several times an hour to once a day. If rebooting resets your antivirus to using old signatures, that’s a problem.
When I asked about this apparent problem, my contact at Data443 explained that antivirus products get special treatment, so their updates aren’t wiped out. “We allow them to update and run,” he said. “If there is one that we have missed, we will add their local store to our repository.” Of course, you should include the antivirus in your periodic update regimen, to manage any updates to the program itself.
File Recovery Fiasco
It’s easy enough to verify that rebooting resets the system to an earlier time. I installed a few programs, changed the desktop wallpaper, and made a few other visible changes. After a reboot, the wallpaper changed back and the programs I had installed vanished.
Files in the folders you’ve added to the Working Folders list shouldn’t be affected by a reboot. I verified that I could edit a file, reboot, and retain my edits. However, other files were affected fatally. Out of all files I created after installing this product, around a third were transformed into folders after a reboot, and this problem was easily repeatable. There was no ransomware involved. And of course, all data contained in the files-turned-folders was lost. In a much less fraught side-problem, any new files I created from the right-click New menu got renamed back to, for example, “New Text Document.txt” after reboot.
I asked my Data443 contact about this debacle. He responded, “We definitely continue to see flakiness on VMware under certain conditions.” Yes, destroying the files you’re supposed to protect is flaky behavior. Some might use a stronger word. Do not use this product in a virtual machine! As for the oddity with renamed files, that’s something they’re working on. Since no data is lost, it’s less of a worry.
Given the problem with virtual machines, I repeated my recovery test on the physical PC that I use for things like performance testing. Here I ran into a different problem. This PC normally takes less than 15 seconds to reboot. With Data443 Ransomware Recovery Manager installed, I let it spin for 15 minutes displaying the message “Restarting” before giving up and forcing a hard reboot. This happened repeatedly. When it did boot into Windows, it frequently came up unresponsive, with the Desktop and Taskbar empty. In every case I did manage to get through the reboot process, but it was 4 to 5 minutes of manual labor rather than a simple click. On the plus side, there was no sign of the bug that transformed files into folders.
NeuShield Data Sentinel handles recovery in a somewhat similar fashion. It snapshots the system periodically and lets you revert to the latest snapshot by invoking One-Click Restore. This does eliminate all changes made since the snapshot, which can cause its own problems. But I didn’t have anything like the problems that arose with Data443 Ransomware Recovery Manager.
Testing Ransomware Protection With Data443
The only reliable way to evaluate ransomware protection is to release real-world ransomware and see what happens. And the only safe way to do that is in a virtual machine. I determined that files already present before installation of the protective software weren’t affected by the bug I discovered, so I proceeded with some hands-on testing in my standard virtual machine testbed.
At present, I have 11 working ransomware samples from the wild. Of these, 10 are the standard file-encrypting type, while one works by encrypting the whole disk. The disk encryptor performed as expected, faking a blue-screen error and rebooting the system. After reboot it would normally encrypt the drive while pretending to repair it. No such luck, Petya! Rebooting brought the system back to safety. One of the file-encryptors just wouldn’t perform, no matter how tasty the smörgåsbord of files I exposed. That left nine virulent samples for testing. And the results weren’t entirely pretty.
In four of the nine cases, the security software reported suspicious activity and requested a reboot. I confirmed that if you ignore the request, it reboots regardless after a set timeout. The malware was eliminated, and I didn’t lose any files. In one case, several encrypted files remained present even after Data443 Ransomware Recovery Manager recovered their unencrypted originals from its secret storage. Something similar happened with ZoneAlarm, except that in ZoneAlarm’s case there were sometimes thousands of encrypted files alongside the recovered ones.
As for the other five ransomware samples, they did their dirty deeds just as if no protective software had been installed. Each one ran to completion, encrypting important files, and stuck out a virtual hand demanding ransom.
Rebooting wiped out the ransomware itself but left documents and other files encrypted. I wondered about the possibility of manually triggering Data443 Ransomware Recovery Manager’s recovery system at this point. Asked if there’s a way to do this, my company contact replied, “Currently no, there is not—but this feature is being looked at for a future release.” Judging from my experience this would be a very welcome feature.
Is Wiping the Slate Clean the Best Option?
When you reboot a computer that's protected by Data443 Ransomware Recovery Manager, every file and Registry change that occurred since the last reboot gets swept away, bringing the system back to a clean state. Folders containing user data are exempted from this process, so you don’t lose your work. Data443 Ransomware Recovery Manager can't reverse malware interactions with the outside world, though, and malware-related activity in those exempt folders can't always be reversed. If a bot, Trojan, or virus infests the protected system, it will have free rein until the next reboot. In our virtual machine testing, a simple reboot damaged files the product was meant to protect. In a physical test system, the product interfered with the reboot process. And when challenged with real-world ransomware, it missed half the samples. For these reasons, we can’t recommend Data443 Ransomware Recovery Manager at this time.
In the small field of dedicated ransomware protection products, we’re not currently declaring an Editors’ Choice winner. However, both ZoneAlarm Anti-Ransomware and NeuShield Data Sentinel have proved effective in testing.