Ransomware - want your data back?

Microsoft added built-in ransomware protection to Windows 10 two years ago. When you check, you’ll find it’s not turned on. This will seem strange. It should be a good thing to stop ransomware, right? Here’s why you’ve never heard of it and why you probably won’t turn it on.

It will help if you have some background about how ransomware works; then I’ll tell you about the difficult bits in the Windows ransomware protection that make it hard to manage for non-tech people.


How does ransomware work?

This is a very brief and very general explanation of how ransomware works. There are lots of variations, but this is close enough.

Ransomware is delivered by a program that runs on your computer – maybe you click on a malicious email attachment or download an evil program masquerading as a video of a puppy making the most adorable face as it’s being swallowed by a python. Or whatever it is that you folks click on – I don’t really understand popular culture these days.

Ransomware - sample lists of file extensions

The program looks through your hard drive for your files, searching for a long list of file extensions – all the obvious ones like Word .DOCX, Excel .XLSX, and pictures .JPG, but also dozens more to cover virtually anything that you’ve created and saved. The ransomware encrypts those files, usually also renaming them with an alphabet soup encrypted name. Once the encryption is complete, the ransomware program displays instructions about how to pay the ransom.

Ransomware does not encrypt all the files on your computer. It has to leave the computer up and running so you can pay the ransom and (maybe) get your files back. If it encrypted all the programs and system files, the computer would grind to a halt and you wouldn’t pay.


Quick note about OneDrive and Dropbox

If your files are stored in OneDrive or Dropbox, there’s a good chance that you have ransomware protection already, separate from the Windows protection described in this article.

OneDrive proactively notifies you if it sees signs of a ransomware attack. It leads you through a routine to remove the ransomware from your devices and restore your files. OneDrive even automatically selects the time and date that the ransomware was detected when it’s time to restore.

Dropbox offers Dropbox Rewind for all its plans except Dropbox Basic. You can roll back a whole folder, or even your entire account, to any point in time for the last 30 days (or longer for Professional and Business users).


Windows 10 ransomware protection

Click on Start, type in “Windows Security,” and click to open up the Security app.

Windows 10 Security - tamper protection

If you see a warning that “tamper protection is off,” click the button to turn it on. It has nothing to do with ransomware; I just don’t want you to be startled by the yellow exclamation point. It’s a new feature that might do some good. We’ll get to that story another time.

Windows 10 Security - ransomware protection

Click on Virus & threat protection and scroll down to the bottom to find Ransomware protection. Click on Manage ransomware protection and, I’ll be damned, it’s turned off. “Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications.” Why is it turned off? It sure sounds helpful!

Windows Security ransomware protection - turned off by default

You can turn on ransomware protection by sliding that switch to On. That’s it! You’re protected. Oh, and some things may stop working. Let’s figure out what the protection does, then we can understand its side effects.

Windows Security ransomware protection - protected folders

Microsoft has designed Windows to nudge you into saving all your files in a few folders: Desktop, Documents, Pictures, Music, and Videos, plus a few variations created by the cloud services like Dropbox and OneDrive. Most people never leave those folders.

When you turn on ransomware protection, Windows freezes those user folders so that nothing in them can ever be changed. Controlled folder access means that no program has permission to change the files.

By default, Microsoft protects files in the user folders. You can add other folders if you have files elsewhere on the hard drive or in mapped drives or network shares.

Windows automatically creates some exceptions to the rule, working from a list of “friendly apps” that are given permission to work freely with your files. Obviously, for example, you can use File Explorer to create and delete and rename files. The Office programs work exactly the way they did before.

Microsoft says optimistically, “Most of your apps will be allowed by Controlled folder access without adding them here. Apps determined by Microsoft as friendly are always allowed.”

Windows ransomware protection - notification of changes blocked

When ransomware protection is turned on, a malicious program will be stopped when it tries to change your files by encrypting them or renaming them. You’ll see an error notice in the right corner of the screen.


So what’s the problem?

If you use a computer only to do simple things with programs from major publishers like Adobe and Microsoft, ransomware protection might work just fine for you.

Microsoft leaves it turned off because many people find it is too heavy-handed. There’s no warning when a program is going to try to open a file without permission – the program is going to stop working or crash without warning. We don’t know what programs are on the “friendly” list. It’s up to you to white-list a program if it is blocked.

It’s hard to predict what programs will or won’t work after you turn on ransomware protection. You might not predict a problem running a Steam game, but it might use the Documents folder for game saves. You might have a program from a printer or camera manufacturer, or a backup program, or any one of a number of other specialized programs that stop working. Are you prepared to white-list them all?

White-listing a program requires finding the executable file that runs the program, not always an easy task for tech professionals and out of reach for non-tech users.

One article points out that if the ransomware protection stops you from saving something, you only find out when you try to save it. There is no advance notice.

If you have files on an external hard drive or in a network share, those files aren’t protected until you add them to the list of protected folders. That’s not a big problem for moderately technical people, but it’s steep terrain for non-technical users.

Controlled folder access is a fine idea, but its implementation is half-baked. That’s why Microsoft doesn’t turn on ransomware protection by default. You have to dig deep and find it, and then be prepared to make manual adjustments as required for programs that stop working. It’s easy to try it, and good protection if your computer still works normally, but be prepared to turn it back off again if your PC goes haywire.

Thanks to crack IT consultant BJ Dent for letting me know that this protection exists. I hope I’m not the only one who had no idea it was there.

Share This