Skip to content
How‑To Guides

How to Protect Against Ransomware

Protect against ransomware before it strikes with offline backups, Controlled Folder Access, and macro security. Here is the essential prevention and recovery guide.

How to Protect Against Ransomware

Ransomware is the threat that turns every other security failure into a financial emergency. When it executes, it systematically encrypts your files — documents, photos, databases, everything it can reach — and presents a ransom demand, typically in cryptocurrency, with a deadline. The attack works because most users have no clean backup, no endpoint protection that can stop encryption in progress, and no practical way to recover without paying. Protecting against ransomware means building defences before this scenario occurs — because recovering from it is far harder than preventing it. If you want the full context, see our Complete Guide to Online Security and Privacy.

Ransomware arrives through specific, predictable delivery channels: phishing emails with malicious attachments or links (most common), RDP exposed to the internet with weak credentials (second most common), and software vulnerabilities in unpatched systems (third). The defences address each entry point, then add controls that limit damage even if initial entry succeeds.

The offline backup — the most important single control

The most effective protection against ransomware is an offline backup that ransomware cannot reach. Connected backups — external drives that remain plugged in, cloud services with permanent sync connections, network shares with open access — are encrypted alongside primary files because ransomware specifically sweeps all accessible drives and network locations as part of its encryption process.

An offline backup is physically disconnected from the computer and the network when not actively being written. It’s immune to encryption because ransomware cannot reach a drive that isn’t mounted.

Implementation: connect the backup drive → run a full backup → disconnect immediately → store physically separate from the computer. Keep at least two drives in rotation — one currently connected for backup, one stored offsite or in a fireproof location — so that if ransomware strikes during the brief window the backup drive is connected, a clean copy from the previous session still survives.

Cloud backup services with long version histories provide a complementary protection layer. If ransomware encrypts files and the encrypted versions sync to the cloud, a service with 30+ day version history allows restoring to the pre-encryption version. Backblaze keeps 30 days of file versions on the standard plan (1 year on the Extended Version History plan) — this is genuine backup, not simple sync. Services without version history (standard Dropbox/OneDrive without Plans+ features) may not retain adequate historical versions for ransomware recovery. Our guide on backing up your data covers the full 3-2-1 strategy including the offline copy that specifically protects against ransomware.

Defence layers compared

Defence layerWhat it protects againstEffectivenessCost
Offline backup (disconnected drive)All ransomware — cannot encrypt disconnected mediaExcellent for recoveryExternal drive (~$50–100) + time
Cloud backup with version historyRansomware that syncs encrypted filesGood — recover to pre-infection stateSubscription ($3–10/month)
Windows Controlled Folder AccessUnauthorised apps modifying protected foldersStrong — blocks many ransomware strainsFree (Windows 11 built-in)
Up-to-date OS and softwareVulnerability-based ransomware deliveryPrevents entry through patched vulnerabilitiesFree (time to update)
Phishing awareness + email filteringPhishing-delivered ransomwareReduces phishing success rate significantlyFree habits
RDP disabled or behind VPNCredential-based RDP ransomware attacksEliminates this attack vector entirelyFree
Endpoint protection (paid)Known and behavioural ransomware detectionGood — catches many strains before encryption$30–60/year

The offline backup addresses the core problem: even when everything else fails, a clean backup from before the attack makes ransomware a severe inconvenience rather than a catastrophic data loss. Combined with Controlled Folder Access and current patches, the three together address the most impactful layers at minimal cost.

The step-by-step configuration

  1. Enable Windows Controlled Folder Access. Windows Security → Virus & threat protection → Ransomware protection → Controlled folder access → On. This blocks any application not on the allowed list from modifying files in protected folders (Documents, Desktop, Pictures, Videos by default). Add critical work folders beyond the defaults. False positives — legitimate apps blocked — can be resolved through the “Allow an app through Controlled folder access” option in the same menu. This is the most underused built-in ransomware control on Windows 11.
  2. Keep Windows and all applications updated. Enable automatic Windows updates (Settings → Windows Update → Automatic updates → On). Keep browsers, office applications, and PDF readers updated — these are the most commonly exploited applications for ransomware delivery. Vulnerability-based delivery is the easiest attack vector to close: it requires nothing from you except keeping software current.
  3. Disable RDP if not needed. Settings → System → Remote Desktop → Remote Desktop → Off. If you don’t use remote desktop, this eliminates a high-value attack vector. If you do need RDP, keep it behind a VPN rather than directly accessible on the internet, use a non-standard port, and require strong credentials with account lockout after failed attempts.
  4. Configure email security. Enable your email provider’s attachment scanning. Treat every unexpected email attachment as a risk regardless of the apparent sender — ransomware frequently spreads from compromised contacts’ accounts. Our guide on avoiding phishing scams covers the full pattern recognition for phishing-delivered ransomware.
  5. Set up the offline backup rotation. Connect backup drive → run full backup → disconnect → store separately. Schedule this weekly or monthly depending on how frequently data changes. Test the restoration process annually to confirm the backup is actually restorable.
  6. Enable Windows Defender real-time protection. Windows Security → Virus & threat protection → Real-time protection → On. Defender’s behavioural detection can identify and terminate ransomware processes during the encryption phase — it doesn’t catch everything, but it provides meaningful protection against known strains.
  7. Disable macros in Office. Microsoft 365: File → Options → Trust Center → Trust Center Settings → Macro Settings → “Disable VBA macros without notification.” Macro-based ransomware delivery through Office documents is a persistent and effective delivery mechanism that this setting directly prevents.

Recognising delivery methods

Ransomware delivery patterns to recognise before they execute:

  • Malicious email attachments: Word documents with “Enable Content” prompts, PDFs claiming to require a reader update, ZIP files containing executable files. The “Enable Content” prompt in Office specifically enables macro execution — it exists to warn you. Never click it for documents from unknown senders or unexpected documents from known contacts.
  • Drive-by downloads: visiting a compromised website triggers an automatic download without any user interaction, exploiting unpatched browser or plugin vulnerabilities. Keeping browsers updated is the primary defence; using a browser with sandboxing (Chrome, Edge, Firefox) limits the damage from any exploit that does succeed.
  • Software from unofficial sources: cracked or pirated software bundles ransomware directly into the installer. The full software install process provides elevated permissions that ransomware exploits for maximum file access.
  • Compromised legitimate software updates: supply chain attacks where legitimate software’s update mechanism is hijacked to deliver ransomware. These are the hardest to recognise and defend against, but keeping systems updated (so all other attack vectors are closed) limits exposure to these targeted, sophisticated attacks.

If prevention fails — immediate response

If ransomware is detected in progress — files appearing with unusual extensions, an encryption progress indicator, Windows Defender flagging ransomware activity — the immediate response is to shut down the computer. Not restart, not sign out — full physical shutdown (hold the power button). Shutting down stops the encryption process and preserves files not yet reached. An interrupted encryption is partially recoverable; a completed one is not.

After shutdown:

  1. Do not boot the infected machine again
  2. Connect the offline backup drive to a clean machine — confirm the backup is intact
  3. Check nomoreransom.org — a free service from Europol, Interpol, and the cybersecurity industry with free decryptors for hundreds of ransomware families. New decryptors are added regularly as law enforcement seizes ransomware operator infrastructure. Check this before paying, and again after any major ransomware gang takedown.
  4. Proceed with ransomware removal on the infected machine as described in our guide on removing malware from Windows

Do not pay the ransom before checking No More Ransom. If a decryptor is available for the specific strain, files are recoverable without payment. The decryptor database should be checked before concluding payment is the only option. For nomoreransom.org: upload a sample encrypted file and the ransom note to the identification tool — it identifies the specific ransomware strain and checks for available decryptors automatically.

Network segmentation — preventing lateral spread

Consumer routers place all devices on the same local network segment: laptops, desktops, smart TVs, cameras, NAS drives, smartphones — all accessible to each other. When ransomware infects one device and scans for accessible network shares, it can reach NAS drives, shared folders on other computers, and any other storage visible on the network.

Use the router’s guest network feature to isolate IoT devices (smart TVs, cameras, smart home devices) from the network segment containing computers with important data. Ransomware on a smart TV in the IoT guest network cannot reach the NAS on the primary network. Our guide on securing your home WiFi network covers the guest network configuration for IoT isolation — the same segmentation that reduces ransomware lateral movement.

The psychological dimension of ransomware deserves acknowledgement: the attack is designed to create panic that short-circuits rational decision-making. The ransom note crafts urgency and hopelessness — a deadline, threats to double the ransom, statements that law enforcement cannot help. Knowing in advance what the correct response sequence is (shut down immediately → check No More Ransom → restore from clean backup) removes the decision from the crisis moment. Having a documented response plan before ransomware strikes means the psychological pressure of the ransom note has less ability to produce the outcome the attacker wants. The note is part of the attack; knowing what to do regardless of what it says is part of the defence.

Controlled Folder Access — common false positives and how to handle them

Controlled Folder Access is the most impactful built-in ransomware control on Windows 11, but it frequently blocks legitimate applications that write to protected folders — backup software, productivity tools, game clients saving to Documents, and many others. When an app is blocked:

  1. Windows Security shows a notification that “Controlled folder access blocked [App]”
  2. Navigate to Windows Security → Virus & threat protection → Ransomware protection → Controlled folder access → Allow an app through Controlled folder access
  3. Click “Add an allowed app” → “Recently blocked apps” → allow the legitimate application

The false positive rate is the most common reason users disable Controlled Folder Access — a short-term response to the inconvenience of blocked apps that removes the protection entirely. Adding the legitimate app to the allow list is the correct response; disabling the feature should be reserved for cases where the false positive volume is genuinely unmanageable, and even then the offline backup becomes more critical as the primary ransomware recovery mechanism.

Ransomware and cloud storage

Cloud sync services (OneDrive, Google Drive, Dropbox in sync mode) do not protect against ransomware — they spread it. When ransomware encrypts files in a synced folder, the encrypted files propagate to all connected devices and the cloud within minutes, overwriting the clean versions. A four-device OneDrive sync means ransomware that executes on one device encrypts all four devices’ synced files within the sync window.

The defences specific to cloud storage:

  • Enable version history: OneDrive keeps 30 days of version history by default; Google Drive keeps previous versions for 30 days; Dropbox depends on the plan (30 days free, up to 180 days on Business). Version history allows restoring pre-encryption versions, but must be done within the retention window before versions expire.
  • Backup to a service that isn’t connected to the primary synced folder: Backblaze backs up the OneDrive folder’s local copy — so even if ransomware encrypts OneDrive files and they sync to all devices, Backblaze has the pre-encryption versions within its version history.
  • Pause sync immediately if ransomware is detected — stopping the sync prevents the encrypted versions from propagating to other devices and the cloud. OneDrive: right-click the tray icon → Pause syncing → 2 hours. Google Drive: tray icon → Pause. Dropbox: tray icon → Pause syncing.

Ransomware protection, done comprehensively, is a layered approach where each layer addresses a different failure mode. The offline backup is the recovery guarantee when all prevention fails. Controlled Folder Access is the in-system barrier that stops many attacks before encryption begins. Current patches remove the vulnerabilities that delivery exploits require. Email awareness and macro restrictions reduce the probability of successful delivery. Together, they create a defence that makes ransomware attacks on a properly-configured system both less likely to succeed and less catastrophic when they do succeed.

Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"