PINDROP BLOG

New Windows 10 Feature Aims to Halt Ransomware

Microsoft is aiming to change the success rate of ransomware with a new security feature in Windows 10 that will define a set of folders that can only be accessed by approved apps.

The feature is included in the latest interim build of Windows 10 and it comes at a time when large-scale ransomware campaigns such as WannaCry and NotPetya are causing problems for organizations around the world. Called controlled folder access, the feature establishes a set of default folders that are protected, making them accessible only by specific apps that are on a whitelist created by the user. Microsoft added the feature in Windows’s built-in anti malware system, Defender Antivirus.

“Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders,” Dona Sarker, a software engineer in the Windows and Devices group at Microsoft, said in a post explaining the new capability.

“You can add additional folders to the list of protected folders, but you cannot alter the default list, which includes folders such as Documents, Pictures, Movies, and Desktop. Adding other folders to Controlled folder access can be handy, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults.”

The idea behind this change from Microsoft is to prevent malicious apps such as ransomware from being able to access and make changes to vital folders. The ability of ransomware to succeed depends upon its ability to gain access to all of the files on an infected machine. If the malware can’t encrypt the most important files on a user’s PC, then the victim will be less inclined to pay the ransom to recover their data.

The thinking behind controlled folder access is similar in spirit to the way that RansomWhere?, a generic ransomware detection tool for OS X, works.  Developed by security researcher Patrick Wardle, RansomWhere? watches the I/O operations on files and looks for untrusted processes that are starting to encrypt files quickly. That’s typical behavior from ransomware and atypical of benign applications. While controlled folder access isn’t meant to detect ransomware, the end result is the same: stopping ransomware from getting to vital files.

CC By license image from Peter Pham