Ransomware is a constant threat, not only for end-users simply going about their day on-line, but for small business and enterprise users that may manage mission critical data as well. Ransomware typically exploits security holes in a browser or operating system, creeps onto a device (typically a PC), and encrypts common file types across all of the drives attached to a system (including mapped network drives). Then, the nefarious developers demand a ransom to decrypt the data – hence the term ransomware.
To date, ransomware has cost countless dollars, not only due to the ransoms being paid, but because of priceless data loss.
Microsoft has taken various steps to thwart ransomware over the last few years, but its most recent move should be the most effective, by far. The recently released Windows 10 Fall Creators Update (FCU) includes something called Windows Defender Exploit Guard. Windows Defender Exploit Guard is essentially a set of security and anti-malware related features, which includes a new feature (among many others) dubbed “Controlled Folder Access”. The Controlled Folder Access feature is designed to stop ransomware by preventing unauthorized access to files stored in specific folders.
Windows 10 Controlled Folder Access Folder List.
MicrosoftWith Controlled Folder Access, only a pre-defined set of applications can access certain folders. If any other application or executable tries, Controlled Folder Access simply prevents it. Microsoft describes Controlled Folder Access as a “...feature [that] protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold. Cybercriminals can’t extort money if they can’t encrypt your files.”
And CFA isn’t just for end users. In enterprise environments, Controlled folder access can be enabled and managed using Group Policies, PowerShell, or configuration service providers for mobile device management. Controlled Folder Access integrates with Windows Defender Advanced Threat Protection a well. Should Controlled Folder Access block an attempt from a rogue application to make changes to protected folders, an alert is generated. The alert notifies security/IT personnel to take action, including quarantining affected machines or blocking the unauthorized app from running on other machines.
Controlled Folder Access is currently disabled by default, and it requires some “training” to authorize applications that are used daily, but that’s a small price to pay if it stops a ransomware attack dead.
