Protect Against Ransomware in 2026: A Windows Guide
If a stranger's script can silently rewrite every file in your Documents folder, you don't have ransomware protection — you have a countdown. The short version of how to protect against ransomware in 2026: keep an offline or immutable backup that malware can't reach, turn on Controlled Folder Access, patch your OS and browser on a schedule, and stop reusing passwords on anything with remote access. Everything else is detail. Let's get into the detail.
How does ransomware actually get onto a PC in 2026?
Forget the old mental image of a random email attachment. That still happens, but it's not the whole picture anymore. Cisco Talos's incident response data for Q1 2026 found phishing had become the top initial access method again, involved in over a third of the engagements where the entry point could be identified, with public-facing application exploits (things like the SharePoint ToolShell bugs) and exposed remote services close behind.
For home users and small offices specifically, three doors get kicked in more than any others:
- Phishing and malicious attachments — a fake invoice, a "shared document" link, a cracked-software installer bundled with a loader.
- Exposed RDP — port 3389 open to the internet with a weak or reused password. Attackers scan for this constantly; it doesn't require you to click anything.
- Credential reuse — your email password from some breach three years ago, still working on your Windows account or your router's admin panel.
I've seen a home user get hit because a "free" VPN client bundled a loader, and I've seen a small business get hit because someone left RDP open on a static IP so a relative could "help with the computer remotely." Neither victim did anything dramatically stupid. The openings are usually mundane.
How do I turn on Controlled Folder Access in Windows?
Controlled Folder Access (CFA) is part of Microsoft Defender and it's the single highest-value free setting for ransomware protection windows users have. It blocks untrusted apps from writing to your protected folders — Documents, Pictures, Desktop, Videos, and more — even if malware is already running under your account.
Fastest path, GUI: Open Windows Security → Virus & threat protection → scroll to Ransomware protection → Manage ransomware protection → toggle Controlled folder access to On.
Same thing from an elevated PowerShell prompt (Win+X → Terminal (Admin)):
Set-MpPreference -EnableControlledFolderAccess Enabled
Not sure if it'll break something you use daily, like a photo editor or a niche backup tool? Run it in audit mode first. It logs what would have been blocked without actually blocking it:
Set-MpPreference -EnableControlledFolderAccess AuditMode
Give it a few days, then check Event Viewer under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational for event ID 1123 (blocked) or 1124 (would-have-been-blocked). If nothing legitimate shows up, flip it to Enabled.
To add a folder beyond the defaults — say, a separate drive where you keep client files:
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\ClientFiles"
Use Add-MpPreference, not Set-MpPreference, for this. Set-MpPreference overwrites your existing list instead of appending to it — an easy mistake that quietly un-protects folders you already added. If a trusted app gets blocked, allow it by exact path:
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\SomeApp\app.exe"
To see what's currently protected and what's currently allowed:
$cfa = Get-MpPreference
$cfa.ControlledFolderAccessProtectedFolders | Sort-Object
$cfa.ControlledFolderAccessAllowedApplications | Sort-Object
One gotcha worth knowing before you enable this on a machine you actually use: CFA has a habit of blocking perfectly legitimate tools the first time they try to save into Documents or Desktop — I've had it swallow a screenshot tool and a niche PDF exporter on first run. That's what the allowed-apps list above is for. Don't turn CFA off out of frustration; add the app instead.
Why isn't Controlled Folder Access enough on its own?
Because CFA only protects the folders you've told it to protect, and it does nothing about the attack chain before the encryption step — credential theft, lateral movement, or an attacker with admin rights disabling Defender outright. It's one layer, not the whole strategy.
Pair it with Microsoft Defender's Attack Surface Reduction (ASR) rules, which block a lot of the macro-and-script techniques ransomware loaders rely on (Office apps spawning child processes, obfuscated scripts, etc.). If you're on Windows 11 Pro or Enterprise, these are configurable through Group Policy or PowerShell; on Home editions your options are more limited, which is one real reason to consider Pro if you're doing this seriously.
And don't assume Windows' built-in shadow copies (System Restore points, the "Previous Versions" tab) will save you. This is the part people get wrong most often: ransomware routinely deletes them as a standard first step, right before encrypting your files. The classic command looks like this — and I'm showing it so you recognize it, not so you run it:
vssadmin.exe delete shadows /all /quiet
That single line, or the WMIC/PowerShell equivalents, is why security tools treat any use of vssadmin delete shadows as a red flag worth an immediate alert. If your only "backup" is Windows shadow copies, you don't have a backup — you have something the attacker will delete in about two seconds.
What's the right way to back up a PC so ransomware can't touch it?
This is the part that actually determines whether a ransomware infection is an inconvenience or a disaster. The industry baseline is the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite. CISA recommends it as a standard defense against ransomware.
For 2026, extend it to 3-2-1-1-0: the extra "1" is an offline or immutable copy that a compromised admin account can't reach or delete, and the "0" means you've actually verified the backup restores cleanly — not just that the backup job said "success."
In practice, on a home PC, that looks like:
- One local backup — File History or a scheduled image backup to an external drive.
- One offline copy — an external drive you plug in, back up to, and then physically disconnect and unplug. If it's not connected, ransomware can't reach it. This is the step people skip because it's manual, and it's the step that matters most.
- One cloud copy with version history — OneDrive, Backblaze, or similar, provided the service keeps previous file versions. If it just syncs, an encrypted file syncs up and overwrites the good one. Version history is what saves you there.
Test the restore at least once. Not "check that the backup ran" — actually pull a folder back down and open a file. A backup you've never restored from is a theory, not a plan.
Patching, MFA, and the boring stuff that actually works
None of the above matters much if the attacker walks in the front door. A few unglamorous habits close most of the doors:
- Turn on automatic Windows Update and don't defer feature updates for months. Vulnerability exploitation — especially against edge devices, VPNs, and internet-facing software — has been climbing as an initial access vector; Google's Mandiant team logged it as the top vector in ransomware intrusions through 2025.
- Don't expose RDP to the internet. If you genuinely need remote access, put it behind a VPN, or at minimum enforce MFA and restrict it to known IP ranges. An open port 3389 with a guessable password is still one of the most reliable ways to get ransomware.
- Turn on MFA everywhere it's offered — email first, then anything tied to backups or remote access. Compromised credentials without MFA remain one of the most common ways attackers get their first foothold, according to Rapid7's incident response data.
- Stop reusing passwords, especially between your email and anything administrative. A password manager is genuinely worth the five minutes of setup friction.
Windows built-in protection vs. third-party endpoint tools
| Layer | What it does | Cost | Good enough for a home PC? |
|---|---|---|---|
| Microsoft Defender + Controlled Folder Access | Blocks untrusted apps from writing to protected folders; real-time malware scanning | Free (built into Windows) | Yes, if kept updated and paired with backups |
| Windows Update / patch management | Closes known vulnerabilities attackers exploit for initial access | Free | Non-negotiable, not optional |
| External offline backup drive | Recovery path malware physically can't reach | One-time hardware cost | Yes — arguably the single most important item here |
| Cloud backup with version history | Offsite copy, protects against theft/fire/local disaster | Subscription, varies | Recommended as a second layer, not a replacement for offline |
| Third-party endpoint protection (EDR-style) | Behavioral detection, rollback features, centralized alerts | Paid, often per-device | Worth it for small businesses; usually overkill for a single home PC kept patched |
What do I do if I'm already looking at a ransom note?
Disconnect the machine from the network immediately — pull the Ethernet cable or turn off Wi-Fi — to stop it from reaching other devices or your NAS. Don't pay, and don't rush to reinstall Windows before you've decided whether you need the disk for investigation or file recovery. Check whether your specific ransomware strain has a known decryptor; the No More Ransom project maintains a searchable list of free decryption tools tied to identified ransomware families. If you have a genuinely offline backup, this is the moment it earns its keep: wipe the infected drive and restore from the copy that was disconnected before the attack happened.
FAQ
Does Windows Defender actually stop ransomware, or do I need paid antivirus?
Modern Microsoft Defender, with Controlled Folder Access and Attack Surface Reduction rules turned on, blocks a meaningful share of common ransomware behavior on its own. Paid endpoint tools add behavioral detection and centralized management that make more sense for a business with several machines than for a single home PC — but no antivirus product, free or paid, replaces having an offline backup.
Will Controlled Folder Access slow down my PC?
No noticeable performance hit in normal use. The main friction is occasional false positives on legitimate apps writing to protected folders, which you fix by adding that app to the allowed list.
Can ransomware still infect files on a cloud drive like OneDrive?
Yes, if the service is set to sync — an encrypted file overwrites the clean one in the cloud too. What protects you is version history, which most major providers offer, letting you roll a synced file back to a version before the encryption happened.
Is System Restore or File History enough backup protection?
No. Both rely on the same Volume Shadow Copy service that ransomware routinely deletes as a first step before encrypting files. Treat shadow copies as a convenience for accidental deletions, not as ransomware protection.
Do I need to disable RDP completely if I never use it?
Yes. If you're not using it, turn it off (Settings → System → Remote Desktop). An open port you don't use is pure downside — it gives attackers a target with zero benefit to you.
How often should I test my backups?
At minimum, once after you set them up, and again any time you change your backup software or destination. For anything business-critical, quarterly is a reasonable cadence.