Defend against Ransomware: Controlled folder access


Ransomware attacks have become the main challenge and threat against organizations, costing them hundreds of thousands or even millions of dollars to recover from the devastating impact, to restore a damaged reputation, and to investigate how the actor managed to access the network.

While ransomware started as an opportunistic threat targeting individual users, the industry has seen this threat turn into what is now called “big game hunting”: instead of holding a single computer hostage and asking its user for a “fee” to liberate the files, the ransomware operators now take the time to discover a corporate network, map it in all its details, determine what systems are critical and what systems contain the valuable corporate assets, and plan the attack.

Often, once the encryption attack begins, it is a matter of hours before all the targets are encrypted, and that typically happens at a time no one is around to pull the plug.

For the last years, instead of the “impregnable fortress” model, we have advocated for a “prevent-impede-detect-recover” model: prevent the most common attacks, impede the adverse actions if a system is compromised, detect what is unusual, and allow for a timely recovery once the response starts. With regards to ransomware, many techniques have already been presented, Microsoft added one tool in our cyber defense toolbox: Controlled folder access.

Ransomware is never a “normal” application: it is, in many cases, detected as such by AV. We found, in all our ransomware investigations, that one of the very first steps taken by the threat actor is to disable any form of endpoint protection, and in recent cases, this included rebooting into safe mode.

With the endpoint protection gone, the last line of defense has vanished. Microsoft took the issue on its head and, instead of preventing the cause, made it possible to block the consequence: the access to the user data by an application not authorized. The result is Controlled folder access: a feature of Windows Defender that will stop any application, not in a list of authorized applications from modifying a file in a folder protected by the system.

As another hurdle to throw in the path of the attacker, we recommend that users and administrators review it. We have published a short technical guide.



Worried About Ransomware?
There are preventive measures your organization can take to defend against an cyber attack.
LIFARS offering Free 30-minute consultation on cyber resiliency. | Call us at:(212) 222-7061