clock menu more-arrow no yes

Filed under:

How to protect your PC from ransomware using Windows’ built-in protection

It may take a bit of work to use, but that could end up being very worth it

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

An illustration of a laptop with three locks, a key, an at sign, a key and colorful pixels all randomly placed around the image. Illustration by Maria Chimishkyan

Ransomware — malware that prevents you from accessing your files unless you pay the hacker that infected your computer — has been an issue plaguing computer users and businesses for years. Given its prevalence and the fact that a ransomware infection can lead to the loss of valuable files like documents or family pictures, it’s a good idea to make sure you’re protected. Starting with Windows 10, Microsoft has added features to its built-in Windows Security software that can help keep your computer safe from ransomware.

As far as ransomware is concerned, there are two levels to Windows Security. The first consists of malware scans, which are on by default, and which you can learn more about here. While this will work to keep ransomware from being installed on your computer, if a piece of malware does manage to slip by, the scans won’t be able to protect your files.

The second level is Windows’ ransomware protection, which you have to turn on manually. However, before you do, it is worth noting that this feature is not on by default for a reason. It works by only letting approved apps make changes to your files — which, in theory, prevents ransomware from encrypting them and locking them away. This, however, can cause some problems with apps that aren’t expecting it, so you may have to do some occasional trouble-shooting if you’ve got ransomware protection turned on.

As a result, as we go over how to enable ransomware protection, it’s worth keeping in mind that there will probably be some tinkering involved with this process.

How to turn on ransomware protection

Windows’ built-in ransomware protection is included in its security app. To get to it, either search “Windows Security” from the start menu or go to “Settings”> “Privacy & Security”> “Windows Security.”

Once you’re in Windows Security, go to “Virus & threat protection,” either by clicking the tile or the button in the sidebar on the left.

To turn on ransomware protection, go to “Virus and threat protection” and click “Manage ransomware protection.”

Click on the “Manage ransomware protection” link to get to the Ransomware protection page.

From there, you can turn on a feature called “Controlled folder access,” which will make it so that unapproved apps won’t be able to make changes to your documents, pictures, videos, or music folders.

Switching on the “Controlled folder access” feature ensures that unauthorized apps can’t make changes to files in certain protected folders.

How to adjust Controlled folder access

Once you switch Controlled folder access on, you’ll see three more control panes: “Block history,” “Protected folders,” and “Allow an app through Controlled folder access.” By default, Controlled folder access will only allow a list of approved apps to make any changes to files in the Documents, Pictures, Videos, and Music folders on your computer. These apps let you tweak how the system works.

You can, for example, add other folders that you want to protect using the “Protected folders” screen and manage which apps are allowed to make changes to protected folders using the “Allow an app through Controlled folder access” screen.

Here’s what you can do.

The “Ransomware protection” panel.

Block history

According to a statement in one Windows security page, apps “determined by Microsoft as friendly” will always be allowed to make changes to your protected folders, but that doesn’t mean that every app you’ll want to use will be allowed by default. If you see a weird error popping up after turning on Controlled folder access (one common error I found during testing was getting a “This file cannot be found” message when trying to save a file), you may want to check “Block history” to see if Windows Security has been keeping that app from making changes.

The block history screen shows you which apps have tried to write to protected folders.

“Block history” lets you see what app was blocked and what folder it was trying to write to. If it’s the app you’ve been having issues with, you’ll want to add it to the list of programs that can make changes. (We’ll go over how to do that in a moment.)

An example of the types of errors you may encounter: FireFox’s download screen said the file I was trying to save could not be found.

Protected folders

If you want to protect additional folders from ransomware, like your Desktop folder (which isn’t protected by default), you can select “Protected folders” and click the “Add a protected folder” button.

Adding a folder to the protected folder list will keep apps from writing to it without permission.

From there, you can navigate to the folder you want to protect and click the “Select Folder” button.

Chose the folder you want to protect, then click the “Select Folder” button.

You can remove protection from custom-added folders (but not the default ones) by going back to the “Protected folders” screen, clicking on the folder you added, and clicking the Remove button.

Allow an app through controlled folder access

If you’re having problems using an app and want to add it to the allowed list of apps, go back to the “Ransomware protection” page and select “Allow an app through Controlled folder access.”

After clicking on the “Add an allowed app” button, you can click “Recently blocked apps” to see a list of the apps that have recently tried to write to your protected folders.

Clicking “Recently blocked apps” gets you a list of the apps that have tried and failed to make changes to your files.

You then click on the plus button next to its name to unblock it.

Clicking the plus button next to an app’s name will let it make changes to files in your protected folders.

While you should only have to do this process once per app, it can be frustrating. You can turn off Ransomware Protection at any time, but if you believe that you’re at high risk for infection and don’t have backups, you should think carefully before doing so.

Additional ways to protect yourself

While Windows’ ransomware protection is a powerful built-in tool, it’s probably not a good idea to rely on it as your only defense — as with all anti-malware systems, it should be treated as a safety net rather than your first line of defense. Here are some of the things you can do to avoid getting a ransomware infection in the first place and to make sure that your data is safe even if the worst were to happen.

Be careful online

As with any malware, ransomware can spread through a variety of ways, such as being attached to phishing emails, exploiting security holes in out-of-date software, or masquerading as an actually useful program. When you’re online, it’s important to stay vigilant — if someone is trying to get you to download a program from an untrusted source that seems too good to be true, proceed with extreme caution.

It’s also important to check the extensions of files you’re sent. If someone claims an attachment is a document, but it has a .exe or .msi extension, that file is likely dangerous. If you can’t already see the file’s extension, you can right-click on it, then click “Properties.” Windows will tell you what kind of file it is next to the “Type of file” heading.

Microsoft’s guide to protecting yourself from ransomware lists some of the things that can lead to your computer being infected:

Visiting unsafe, suspicious, or fake websites.

Opening file attachments that you weren’t expecting or from people you don’t know.

Opening malicious or bad links in emails, Facebook, Twitter, and other social media posts, or in instant messenger or SMS chats.

Keep your software updated

It’s also important to make sure that your operating system and any software you use regularly have the latest security patches. Most browsers will update themselves automatically, and Windows usually also installs updates as they become available. To manually check for updates, go to “Settings”> “Windows Update” and click the “Check for updates” button.

You can update any apps installed through Windows’ built-in store by going to the Microsoft Store app, clicking the “Library” button in the lower left-hand corner, and then clicking the “Get Updates” button to find any available updates. You can also click the “Update” button on individual apps or the “Update all” button at the top of the page.

Make sure to have backups

While using ransomware protection and having safe browsing habits can help keep you safe, no system is perfect. It’s important to have a backup of your computer’s files so that if you do end up infected by ransomware, you don’t lose your most valuable photos, videos, or documents. Backups can also keep you from losing data if your computer is physically damaged, lost, or stolen.

You can read our guide on how to back up your computer here. If possible, it’s best to have two different forms of backup: one local and one in the cloud. However, having any kind of backup is much better than not having anything at all.

What to do if your computer is infected with ransomware

If all your protections have failed, and you discover that your computer is infected with ransomware, there are three important steps to take:

  1. Disconnect your computer from Wi-Fi or ethernet — some ransomware can spread to other computers connected to your network, and it’s important to limit the damage.
  2. Don’t pay the ransom — doing so could be illegal, depending on where the hackers trying to extort you are located, and paying does not guarantee that you’ll actually get access to your files back.
  3. Don’t plug in your backups if you have them — the ransomware will very likely attempt to destroy those files as well.

Microsoft recommends attempting to do a full scan of your computer using Windows Security. (Another good app to try is Malwarebytes, which is well-known for its ability to scrub a computer of malware and is free for personal use.) If neither of those work, you may need to fully reset your PC.

Finally, if you don’t feel confident that you can remove the ransomware yourself, take your computer to a professional — it’s best to make sure that it’s fully clean before trying to recover your backups.