Windows 10 will try to combat ransomware by locking up your data
The latest Windows 10 build, today's 16232, contains a few new security features. In addition to the richer control over exploit mitigation that Microsoft announced earlier this week, the new build also includes a trial of a new anti-ransomware capability.
The long-standing approach that operating systems have used to protect files is a mix of file ownership and permissions. On multi-user systems, this is broadly effective: it stops one user from reading or altering files owned by other users of the same system. The long-standing approach is also reasonably effective at protecting the operating system itself from users. But the rise of ransomware has changed the threats to data. The risk with ransomware comes not with another user changing all your files (by encrypting them); rather, the danger is that a program operating under a given user's identity will modify all the data files accessible to that user identity.
In other words, if you can read and write your own documents, so can any ransomware that you run.
Microsoft's attempt to combat this is called "Controlled folder access," and it's part of Windows Defender. With Controlled folder access, certain directories can be designated as being "protected," with certain locations, such as Documents, being compulsorily protected. Protected folders can only be accessed by apps on a whitelist; in theory, any attempt to access a Protected folder will be blocked by Defender. To reduce the maintenance overhead, certain applications will be whitelisted automatically. Microsoft doesn't exactly specify which applications, but we imagine that apps from the Store would automatically be allowed access, for example.
In principle, this should impede the ability of ransomware to encrypt user data. In practice, we'll have to see just how robust Controlled folder access is. To be effective, such a safeguard would need, for example, to prevent malicious Word macros from accessing a Protected folder, even though Word itself should be allowed to read and write to the Documents directory. If ransomware can readily get a trusted application to do its dirty work for it, the protection will likely be circumvented sooner rather than later.