Protect Your Windows PC Against Ransomware

Ransomware does not 'just happen'. Three controls block almost every infection.

8 min read · Beginner friendly

Step 1: Turn on Controlled Folder Access

Open Windows Security → Virus & threat protection → Manage ransomware protection.

Turn on Controlled folder access. Windows will now block any app that is not on its trusted list from modifying files in your Documents, Pictures, Videos, Music and Desktop folders.

If a real app gets blocked (some games, backup software), add it via Allow an app through Controlled folder access.

Step 2: Set up a 3-2-1 backup

3 copies of your important data, on 2 different media, with 1 copy offline:

• Original on your PC.
• Cloud copy: OneDrive, Google Drive, Backblaze, iDrive — anything with version history.
• Offline copy: an external USB drive that you plug in once a week, copy to, and unplug. Ransomware cannot encrypt a drive that isn't connected.

Step 3: Use OneDrive Version History as a safety net

If your Documents and Desktop folders are synced to OneDrive (Settings → Backup), you get 30 days of version history for every file plus a 'Restore your OneDrive' option that can roll the entire account back to a point in time before the infection.

This has saved more ransomware victims than any antivirus.

Step 4: Block macros and risky downloads

Most ransomware arrives via a Word/Excel attachment with a macro, or a fake installer. In Office: File → Options → Trust Center → Trust Center Settings → Macro Settings → Disable all macros with notification.

Never enable macros on a document that arrived in an unexpected email — even if it looks like it's from a known sender.

Step 5: Use a standard user account for daily work

Ransomware running under a standard account cannot disable Defender, cannot encrypt other users' files, and is much easier to clean up. Follow the standard-account guide below.

---

What's next

• Set up a standard user account
• Lock down Windows
• Detect viruses with Malwarebytes