Defending against ransomware with Windows 10 Anniversary Update

[BoraMurdar]

By Rob Lefferts / Director of Program Management, Windows Enterprise and Security

Ransomware is one of the latest malware threats that is attracting an increasing number of cyber-criminals who are looking to profit from it. In fact, in the last 12 months, the number of ransomware variants have more than doubled. Its premise is deceptively simple: infect users’ devices, and then deny them access to their devices or files unless they pay a ransom. However, the methods and means attackers are using to perpetrate ransomware attacks are increasingly varied, complex and costly.

Microsoft is committed to helping protect people against threats to their safety and security through our strategy of Prevent, Detect and Respond. Using this approach, Windows 10 Anniversary Update is more ransomware-resilient than ever before.

Here are some of the many ways we’re fighting back against ransomware:

• Six of the top 10 ransomware threats use browser, or browser-plugin-related exploits, so we made it harder for malware authors to exploit Windows 10 and Microsoft Edge.
• We increased detection and blocking capability in our email services, increasing the number of ransomware-related attachments being blocked.
• We added new technology to Windows Defender to reduce detection time to seconds, increasing our ability to respond before the infection can occur.
• We released Windows Defender Advanced Threat Protection which can be combined with Office 365 Advanced Threat Protection to make it easier for companies to investigate and respond to ransomware attacks.

Combined with other significant security advances, such as Credential Guard, Windows Hello and others, we’ve made Windows 10 Anniversary Update the most secure Windows ever. Here are a few examples of how we achieved this:

Prevention:
Browser hardening. Adobe Flash Player is a common browser plug-in that has been used by exploit writers to download ransomware, so we updated Microsoft Edge to run Flash Player in an isolated container. We have also locked down Microsoft Edge so that an exploit running in the browser cannot execute another program. These improvements block malware from silently downloading and executing additional payloads on customers’ systems.

Email protection. A major distribution channel for ransomware is via email file attachments. To help protect customers who use Microsoft email services against such threats, we have made investments in our email services that help block ransomware. We advanced our machine learning models and heuristics to catch malware distributed in email, and developed a faster signature delivery channel to update Windows Defender running in our email services more quickly. The result is improved protection levels for our consumer and commercial productivity suite customers.

Machine learning. Enhancements to our cloud infrastructure let our antimalware researchers extend machine learning models in a way that we can identify and block malware more quickly. Before the Anniversary Update, the process of collecting a suspicious program for analysis, classifying it and responding with protection generally took hours. Now it takes minutes.

Detection:
New and improved Windows Defender. Windows Defender, which is enabled by default, can respond to new threats faster using improved cloud protection and automatic sample submission features to block malware “at first sight”. We’ve also improved Windows Defender’s behavioral heuristics to help determine if a file is performing ransomware-related activities, and then detect and take action more quickly.

Response:
Post-breach defense. In Windows 10 Anniversary Update, we launched Windows Defender Advanced Threat Protection (ATP) service which adds the ability for companies to detect and respond to attacks that have made it through other defensive layers. Combining security events collected from the machines with cloud analytics to detect signs of attacks, Windows Defender ATP surfaces alerts to the enterprise security team. Should ransomware affect corporate endpoints, the Windows Defender ATP console can provide important details that can help security responders quickly understand how the ransomware entered the device, identify the damage it has created, and locate where it might be moving next in the network. When combined with Office 365 Advanced Threat Protection, these services share signals to provide a more holistic view of what is attacking the enterprise.

Protecting against Ransomware
We have made significant improvements in protecting customers from ransomware in the Windows 10 Anniversary Update. To help protect against ransomware and other types of cyber threats, we suggest you:

• Update to the Windows 10 Anniversary Update and accept the default security settings within Windows 10.
• Keep machines up to date with the very latest updates.
• Ensure that a comprehensive backup strategy is implemented and followed.

The Block at First Sight cloud protection feature in Windows Defender is enabled by default. For IT Pros, if it was turned off we recommend turning it back on, and we also recommend incorporating another layer of defense through Windows Defender ATP and Office 365 ATP. For more information about each of these technologies and techniques and how they work, please download our white paper Ransomware Protection in Windows 10 Anniversary Update.

Cyber threats won’t stop, and neither will we. As long as ransomware remains a threat, we will continue to enhance our defenses to better protect your Windows 10 devices.

 

[Wave]

Another addition they could make is collect up a database of known file extensions which are exclusive to specific ransomware types (e.g. ransomware A-Z-B.A-Y may change extension name of encrypted files to something exclusive like "hellothere<variantname>", therefore if a program modifies a program and then changes the extension afterwards to one in the database, it could have some sort of action revert/block the program doing this. Especially if the program has already utilised the CryptoAPI and has the ability to perform network activity.

Of course it won't work for all types and could potentially cause some false positive detections if your program alters a file and changes the extension to something like *.encrypted, but could still be used to help identify and catch out specific known types early on depending on how they work.

 

[BoraMurdar]

Another addition they could make is collect up a database of known file extensions which are exclusive to specific ransomware types (e.g. ransomware A-Z-B.A-Y may change extension name of encrypted files to something exclusive like "hellothere<variantname>", therefore if a program modifies a program and then changes the extension afterwards to one in the database, it could have some sort of action revert/block the program doing this. Especially if the program has already utilised the CryptoAPI and has the ability to perform network activity.

Of course it won't work for all types and could potentially cause some false positive detections if your program alters a file and changes the extension to something like *.encrypted, but could still be used to help identify and catch out specific known types early on depending on how they work.

Interesting idea

 

[XhenEd]

I guess most of what is said in the OP is applicable only to Windows 10 Enterprise or versions other than for home users. The pdf file talks about enterprise security, and nowhere can one find the word "home".

Anyway, it's always good to know what technologies MS developed to combat malware.

 

[Vasudev]

It might be included in Creators Update. I hope.

 

[XhenEd]

It might be included in Creators Update. I hope.

More like: be included in Creators update of Windows 10 Enterprise. lol

Although I believe that the target audience are clearly the business people, I too hope that at least some of these technologies be incorporated to the "home" versions of Windows 10.

 

[Wave]

More like: be included in Creators update of Windows 10 Enterprise. lol

Although I believe that the target audience are clearly the business people, I too hope that at least some of these technologies be incorporated to the "home" versions of Windows 10.

I see what you mean and I agree with you; although as Home users if we want additional ransomware protection we could always just use a Behaviour Blocker like Emsisofts', HitmanPro.Alert or an standalone anti-ransomware tool (like from Kaspersky or Malwarebytes).

I doubt Microsoft will invest time to add it for the Home version when they make more money when focusing on these features for the Enterprise editions (most likely). Not to mention that these features may not work as intended in an Home environment - could be needed to work in a specific way or may cause too much FP on a Home environment. Who knows their reasons, your guess is just as good as mine.

 

[BoraMurdar]

More like: be included in Creators update of Windows 10 Enterprise. lol

Although I believe that the target audience are clearly the business people, I too hope that at least some of these technologies be incorporated to the "home" versions of Windows 10.

Well yes, very little percent of home users will pay ~300$ for retrieving their data after ransomware attack. They will probably reformat the system. But someone's business data worth probably much more than paying the ransom. At the end of the story, most attacks are headed towards companies instead of home users.

 

[tim one]

If we consider Windows 10 Enterprise then it is possible to also implement the block of running applications from the user profile directory by package inspector: one of the features contained in Device Guard and locking the system about launching applications from the user profile directory is a great way to prevent the payload of the ransomware to encrypt the files.

But I would like to say that the countermeasures that can be put in place to contain an infection by ransomware in Windows internals, is not exhaustive, because the measures of defence should be reviewed regularly according to new threats and to the opportunities offered by the security products.

So it is necessary to implement multiple possible defenses and every countermeasure must be carefully considered before being implemented to avoid that, if it is bypassed, it can worsen the infection. For example, the block of the extensions, against the first versions of ransomware was a good idea to block the execution of the malware code, but the latest versions, first encrypt the files and then try to rename them, making more complex the situation.

 

[jamescv7]

@Wave: For sure WinAntiRansom may develop something related on the techniques which can create unique detection whether any new strand of ransomware created.

In the Windows 10 Update, of course those Enterprise edition would benefited because of emerging threats that can attack to the business firms.

 

[RoboMan]

"Browser hardening. Adobe Flash Player is a common browser plug-in that has been used by exploit writers to download ransomware, so we updated Microsoft Edge to run Flash Player in an isolated container."

Really really nice. Well done. Nice article. Thanks for sharing. Hopefully, they get to kill Adobe Flash as quick as possible. Adobe doesn't seem to have much interest on really getting rid of it/do something better to improve the security of their products.