![](\"https:\/\/images.techhive.com\/images\/article\/2016\/12\/12_ransomware-100698482-large.3x2.jpg?auto=webp&quality=85,70\"\/)
<\/p>\n<\/p>\n
Credit to Author: Preston Gralla| Date: Tue, 02 Aug 2022 03:00:00 -0700<\/strong><\/p>\n CryptoLocker. WannaCry. DarkSide. Conti. MedusaLocker. The ransomware threat isn\u2019t going away<\/a> anytime soon; the news brings constant reports of new waves of this pernicious type of malware washing across the world. It\u2019s popular in large part because of the immediate financial payoff for attackers: It works by encrypting the files on your hard disk, then demands that you pay a ransom, frequently in Bitcoin or other cryptocurrency, to decrypt them.<\/p>\n But you needn\u2019t be a victim. There\u2019s plenty that Windows 10 and 11 users can do to protect themselves against it. In this article, I\u2019ll show you how to keep yourself safe, including how to use an anti-ransomware tool built into Windows.<\/p>\n (Administrators, see “What IT needs to know about ransomware and Windows” at the end of this article.)<\/p>\n This article assumes that you\u2019re already taking the basic precautions against malware in general, including running anti-malware software and never downloading attachments or clicking links in email from unknown senders and suspicious-looking email. Also note that this article has been updated for the Windows 10 November 2021 Update (version 21H2) and the Windows 11 October 2021 Update (version 21H2). If you have an earlier release of Windows 10, some things may be different.<\/p>\n Microsoft is concerned enough about ransomware that it built an easy-to-configure anti-ransomware tool directly into Windows 10 and Windows 11. Called controlled folder access, it protects you by letting only safe and fully vetted applications access your files. Unknown applications or known malware threats aren\u2019t allowed through.<\/p>\n By default, the feature is not turned on, so if you want to protect yourself against ransomware, you\u2019ll have to tell it to get to work. And you can customize exactly how it works by adding new applications to its whitelist of programs that can access files, and adding new folders in addition to the ones that it protects by default.<\/p>\n To switch it on, you\u2019ll need to access Windows Security. There are several ways to get to it in both Windows 10 and Windows 11:<\/p>\n In Windows Security, select Virus & threat protection<\/em>. Scroll down to the \u201cRansomware protection\u201d section and click Manage ransomware protection<\/em>. From the screen that appears, under \u201cControlled folder access,\u201d toggle the switch to On<\/em>. You\u2019ll get a prompt asking if you want to make the change. Click Yes<\/em>.<\/p>\n Switch the toggle to On<\/em> to turn on controlled folder access. (Click image to enlarge it.)<\/p>\n You shouldn\u2019t leave it at that and feel safe yet, because there\u2019s a chance that you have folders you\u2019d like to protect that the feature ignores. By default, it protects Windows system folders (and folders underneath them) like C:UsersUserName<\/em>Documents, where UserName<\/em> is your Windows user name. In addition to Documents, Windows system folders include Desktop, Music, Pictures, and Videos.<\/p>\n But all your other folders are fair game for any ransomware that makes its way onto your PC. So if you use Microsoft\u2019s OneDrive cloud storage, for example, any OneDrive folders and files on your PC aren\u2019t protected. Given that Microsoft is trying to move everyone it can onto OneDrive, this is a surprising omission.<\/p>\n To add folders you want protected, click the Protected folders<\/em> link that appears after you switch on controlled folder access. A prompt appears asking if you want to make the change. Click Yes<\/em>. Click the Add a protected folder<\/em> button that is on top of the list of protected folders that appears, then navigate from the screen that appears to the folder you want to protect and click Select Folder<\/em>.<\/p>\n Click Add a protected folder<\/em> to protect more of your folders with controlled folder access. (Click image to enlarge it.)<\/p>\n Continue to add folders in this way. Remember that when you add a folder, all folders underneath it are protected as well. So if you add OneDrive, for example, there\u2019s no need to add all of the folders underneath it.<\/p>\n (Note: Depending on your version of OneDrive, you may be able to restore OneDrive files, even if you don\u2019t control them with controlled folder access. For details, see the Microsoft documentation \u201cRestore deleted files or folders in OneDrive<\/a>.\u201d)<\/p>\n If you decide at any point to remove a folder, get back to the \u201cProtected folders\u201d screen, click the folder you want to remove, and then click Remove<\/em>. Note that you won\u2019t be able to remove any of the Windows system folders that are protected when you turn the feature on. You can only remove the ones that you\u2019ve added.<\/p>\n Microsoft determines which applications should be allowed access to protected folders, and unsurprisingly, among them is Microsoft Office. Microsoft hasn\u2019t published a list of which applications are allowed, though, so consider taking action to let applications you trust access your files.<\/p>\n To do it, go back to the screen where you turned on controlled folder access and click Allow an app through Controlled folder access<\/em>. A prompt appears asking if you want to make the change. Click Yes<\/em>. From the screen that appears, click Add an allowed app<\/em>, navigate to the executable file of the program you want to add, click Open<\/em>, and then confirm you want to add the file. As with adding folders to the list of protected folders, you can remove the app by getting back to this screen, clicking the application you want to remove, then clicking Remove<\/em>.<\/p>\n Hint: If you\u2019re not sure where executable files are located for programs you want to add to the whitelist, look for the folder name with the program\u2019s name in the WindowsProgram Files or WindowsProgram Files (x86) folders, then look for an executable file in that folder.<\/p>\n The whole point of ransomware is to hold your files hostage until you pay to unlock them. So one of the best protections from ransomware is to back up your files. That way, there\u2019s no need to pay the ransom, because you can easily restore your files from the backup.<\/p>\n But when it comes to ransomware, not all backups are created equal. You need to be careful about choosing the right backup technique and service. It\u2019s a good idea to use a cloud-based storage and backup service rather than only backing up to a drive attached to your PC. If you back up to a drive attached to your PC, when your PC gets infected with ransomware, the backup drive will likely be encrypted along with any other disks inside or attached to your PC.<\/p>\n Make sure that your cloud-based storage and backup uses versioning \u2014 that is, it keeps not just the current version of each of your files, but previous ones as well. That way, if the most current version of your files gets infected, you can restore from previous versions.<\/p>\n Most backup and storage services, including Microsoft OneDrive, Google Drive, Carbonite, Dropbox and many others, use versioning. It\u2019s a good idea to get familiar with the versioning feature of whichever service you use now, so you can easily restore files in a pinch.<\/p>\n Microsoft Word makes use of OneDrive\u2019s versioning capabilities in its Version History feature. (Click image to enlarge it.)<\/p>\n Just about any anti-malware program includes built-in anti-ransomware protections, but there are several programs that promise to specifically target ransomware. A number of them are paid, but there are also some free options, such as those I\u2019m listing here.<\/p>\n Bitdefender offers free decryption tools that can unlock your data<\/a> if you\u2019ve been attacked by ransomware and it\u2019s being held ransom. They can only decrypt data that\u2019s been encrypted with certain specific pieces or families of ransomware, including REvil\/Sodinokibi, DarkSide, MaMoCrypt, WannaRen and several others. And Kaspersky offers anti-ransomware software for free<\/a> for both home and business users, although there are limitations on the number of devices you can use it on.<\/p>\n Kapersky\u2019s free anti-ransomware tool. (Click image to enlarge it.)<\/p>\n Microsoft regularly releases Windows 10 and Windows 11 security patches, and they\u2019re automatically applied via Windows Update. But if you hear about a ransomware outbreak, you shouldn\u2019t wait for Windows Update to work \u2014 you should immediately get the update yourself so that you\u2019re protected as soon as possible. And it\u2019s not just Windows updates you want to get. You also want to make sure Windows Security, Microsoft\u2019s built-in anti-malware tool, has the latest anti-malware definitions.<\/p>\n To do both in Windows 10, go to Settings > Update & Security > Windows Update<\/em> and click the Check for updates<\/em> button. In Windows 11, go to Settings > Windows Update<\/em> and click the Check for updates<\/em> button. (If updates are already waiting for you, you\u2019ll see them listed instead of the Check for updates<\/em> button.) If Windows finds updates, it installs them. If it requires a reboot, it will tell you.<\/p>\n Checking for Windows 11 updates. (Click image to enlarge it.)<\/p>\n You need to worry not just about Windows staying patched, but other software as well. If you use an anti-malware program other than Windows Security, make sure it and its malware definitions are up to date.<\/p>\n And the other software on your PC should be kept up to date as well. So check how each piece of software gets updated and make sure to update each one regularly.<\/p>\n Ransomware can be spread via macros in Office files<\/a>, so to be safe you should turn them off. \u00a0Microsoft now disables them by default, but that doesn\u2019t necessarily mean that they\u2019re turned off in your version of Office, depending on when you installed it and whether you\u2019ve updated it. To turn them off, \u00a0when you\u2019re in an Office application, select File > Options > Trust Center > Trust Center Settings<\/em> and select either Disable all macros with notification<\/em> or Disable all macros without notification<\/em>. If you disable them with notification, when you open the file you\u2019ll get a message warning that the macros were disabled and letting you turn them on. Only turn them on if you\u2019re absolutely sure they\u2019re from a safe, trusted source.<\/p>\n Here\u2019s how to disable macros in Office. (Click image to enlarge it.)<\/p>\n There\u2019s plenty that IT can do to keep companies free from ransomware. The most obvious: Apply the latest security patches to not just all PCs in an organization, but all servers and any other enterprise-level hardware.<\/p>\n That\u2019s just a start, though. IT needs to disable the notoriously insecure SMB1 Windows networking protocol. Multiple ransomware attacks have spread through the 30-year-old protocol; even Microsoft says it should be used by no one, ever.<\/p>\n The good news is that Windows 10 version 1709, released in October 2017, finally did away with SMB1. (It\u2019s not in Windows 11, either.) But that\u2019s only for PCs with clean installs of version 1709 or later, including new PCs that have come out since then. Older PCs that were updated from earlier versions of Windows still have the protocol built in.<\/p>\n There are multiple places IT can go to get help to turn it off. A good place to start is the SMB Security Best Practices document<\/a> from US-CERT, run by the U.S. Department of Homeland Security. It recommends disabling SMB1, and then \u201cblocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.\u201d<\/p>\n The Microsoft support article \u201cHow to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows<\/a>\u201d offers details about how to turn off the protocol. It recommends killing SMB1 but keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting. For the most up-to-date and detailed information about turning off SMB1, go to the Microsoft TechNet article \u201cDisable SMB v1 in Managed Environments with Group Policy<\/a>.\u201d<\/p>\n Administrators can use the Controlled Folder Access feature (covered earlier in this article) to stop ransomware from encrypting files and folders of PCs running Windows 11 or Windows 10 version 1709 or later. They can use the Group Policy Management Console, the Windows Security Center, or PowerShell to turn on Controlled Folder Access for users on a network, customize which folders should be protected, and let additional applications access the folders beyond the Microsoft defaults. For instructions, go to the Microsoft article \u201cEnable controlled folder access<\/a>\u201d to turn it on, and to \u201cCustomize controlled folder access<\/a>\u201d to customize which folders should be protected and which applications should be allowed through.<\/p>\n One potential issue with Controlled Folder Access is that it might block apps that users typically use from accessing folders. So Microsoft recommends using audit mode first, to see what will happen when Controlled Folder Access is turned on. For information about how to do it, go to Microsoft’s \u201cEvaluate exploit protection<\/a>\u201d documentation.<\/p>\n As noted above, Office macros can spread ransomware. Microsoft is now blocking macros downloaded from the internet by default, but to be safe, IT should use Group Policy to block them. For advice on how to do it, go to the \u201cBlock macros from running in Office files from the Internet<\/a>\u201d section on Microsoft\u2019s \u201cMacros from the internet will be blocked by default in Office<\/a>\u201d documentation and to its \u201cHelping users stay safe: Blocking internet macros by default in Office<\/a>\u201d blog post.<\/p>\n The good news in all this: Windows 10 and Windows 11 have specific anti-ransomware features built right in. Follow the advice we\u2019ve outlined here to keep the ransomware threat at bay.<\/p>\n This article was originally published in January 2018 and most recently updated in August 2022.<\/em><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Preston Gralla| Date: Tue, 02 Aug 2022 03:00:00 -0700<\/strong><\/p>\n<\/p>\n