Ransomware In the fight against ransomware, Microsoft must do more

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,910
Not a day goes by that I don’t hear about some business or consultant affected by ransomware. Often, the incident starts with a phishing attack or from a vulnerability introduced by delayed patching. Or it could be a consultant tool that should have been coded better. Regardless of how it began, if you attempt to recover from a backup (assuming you have a viable one on hand) or pay the ransom and attempt to unencrypt your data, recovery will take time.

That’s time companies often don’t have.

Last week, the US government set up the Stopransomware website to help businesses, schools, and other organizations deal with ransomware attacks. Included in the guidance are recommendations regarding backing up:

“It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline, as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.

“Maintain regularly updated ‘gold images’ of critical systems in the event they need to be rebuilt. This entails maintaining image ‘templates’ that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.

“Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.

“In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.”

In general, the issue of backups is where I feel Microsoft is dropping the ball when it comes to encouraging best practices. To be fair, it does often have to tap dance carefully around the ecosystem of third-party options provided by a number of vendors.

Especially for small businesses and individual users, there’s a divide between the needs of large enterprises versus smaller firms. Large businesses can use such tools as Autopilot to quickly roll out images of new machines for deployment. If, say, a series of workstations is damaged by ransomware, various tools such as AutoPilot can be used to redeploy them. (Windows 11 fully supports AutoPilot and even provides options to join Azure AD in an easy manner.)

For small businesses, Microsoft’s idea of ransomware includes Controlled folder access. Controlled folder access ensures that the following folders are protected from ransomware:

c:\Users\<username>\Documents
c:\Users\Public\Documents
c:\Users\<username>\Pictures
c:\Users\Public\Pictures
c:\Users\Public\Videos
c:\Users\<username>\Videos
c:\Users\<username>\Music
c:\Users\Public\Music
c:\Users\<username>\Favorites

But there’s a catch. This only works when Windows Defender is your main antivirus. If you use any other third-party vendor for antivirus protection, you won’t be able to use this feature.

The next thing Microsoft offers up for ransomware data recovery is to offload files to OneDrive. Unless you have a premium OneDrive account, you’ll be limited as to how much room you have to sync files.

The fly in the ointment
You can see the flaw in these offerings: They don’t urge users to make a gold image of their critical systems. To a home user, or a small business, every desktop is a critical system. Yet Microsoft over the years has moved away from stressing backups to push syncing with cloud services. Show me a small business computer and I guarantee I’ll find some software installed for which you can no longer find the product keys, the software installation file, the installation CD, or lately, a key download from Microsoft’s download servers that’s been removed because it was code-signed with an SHA-1 signature.

Having an exact image of what I have on my computer right now is a key way to ensure I’m protected from ransomware. Yet, Microsoft is moving away from tools to provide this with Windows 11.

Don’t get me wrong. I see cloud storage as a secure way to have yet another set of key files. But if I’ve been hit with ransomware and I need to recover files, it’s going to take hours — if not days — to pull it down from the cloud. Even if I do pay the ransomware and get the key to unencrypt my data, it will still take hours, if not weeks, to undo the damage.

Most small businesses I know don’t run from the cloud or have weeks to recover from attacks. They typically have one or two key servers that provide key needs that can’t be replicated in cloud offerings at this time. There will probably be a time when all of my small business software offerings will be in the cloud and I no longer need a local server, but today is not that day. Even larger businesses are still very much dependent on our active directory domain infrastructure.

How to make a ‘gold image’
In Windows 10, to prepare a gold image you have to use a deprecated backup tool left over from Windows 7 — the System Image Backup tool. To enable the tool, go to Settings, then click on Update & Security, then click on Backup. Under the "Looking for an older backup?" section, click the Go to Backup and Restore (Windows 7) option.

What are your options in Windows 11? Under Accounts>Windows backup, you’re prompted to set up OneDrive folder syncing, to remember my apps across my devices, and to remember my preferences across all of my devices. But many users have one – and only one – Windows computer; there is no other device to recover to unless you purchase another PC. Your other option is to save files to another drive. Once again, you have to rely on deprecated software(hiding in an old control panel setting) that Microsoft no longer supports to have an image of your computer as recommended as by the US government ransomware guidance.

Once upon a time, Microsoft specifically designed software for small businesses. In its first iteration of software for SMBs, the company included a wizard to set up backups because many firms forgot to do so. That setup included a notification email showing whether a backup was successful or failed. In a later project geared toward home users, Microsoft built a wizard that not only backed up everything, but easily set up workstation backups for each computer joined on the peer-to-peer network.

Now, the built-in options are either backup to the cloud or make copies of files. Like Windows 10, options are limited. Microsoft says Windows 11 will be the most secure platform ever. But we need to take a step back and ensure that Windows 11 can be easily recovered. We know attackers will find new ways to launch attacks. So, ensuring we can recover means we can deal with anything.

Microsoft can do better than this. Recovery from ransomware should be Job 1 right now. In the meantime, join us at Askwoody.com as we discuss the various ways to backup our machines. It’s too important to wait for Microsoft to act, so make sure you plan ahead and know your options.
 

rain2reign

Level 5
Jun 21, 2020
247
Can ransomware encrypt user's encrypted folder or file?
Yes. To the ransomware algorithm it's nothing more than a file or folder, it won't care about encryption. It just sees a file, folder or block of digits that can be moved, renamed etc... You can encrypt an encrypted folder 900 times over manually if you wish. It is like adding a lock, on top off a lock while locking those locks over and over and over until you get tired of collecting the individual keys.
 
Top