Microsofts releases anti-ransomware feature – too little too late?

Posted by Geraldine Hunt on Wed, Jul 19th, 2017

Ransomware has accentuated itself to become the most recognized network security threat in the world today and technology vendors are releasing a growing arsenal of tools to help combat it. Earlier this year, Microsoft took the unprecedented step of releasing update (MS17-010) for the Windows XP operating system.  Though XP is no longer supported, this update was released in order to address a vulnerability that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.  This known vulnerability later became the exploit used in the WannaCry and Petya outbreaks that infected thousands of devices the past couple of months.  

Just last week, Microsoft announced the release of a new anti-ransomware feature in its latest Windows 10 Insider Preview Build (16232).  Microsoft is currently planning to introduce this tool, as well as other security features in the upcoming Windows 10 Creator Update, which has an expected release date in fall of this year.  This ransomware combatant tool called “Controlled Folder Access” is designed to block unauthorized applications from creating new files or modifying existing files located in designated “protected” folders that are important.  This is achieved through the use of an application whitelist.  If the app is not on the list, Windows Defender blocks its execution.

This is the same concept as Microsoft’s AppLocker feature that has been available for a number of years for select Windows operating system versions such as Enterprise and Education.  AppLocker whitelists can be deployed through group policy to those devices with supported operating systems.  For those who subscribe to Microsoft Intune, you can import AppLocker policies into the Intune management interface via an XML file.  With Controlled Folder Access, application whitelisting will be available for all Windows 10 computers through the Windows Defender Security Center.  To currently access this feature:

• Go to the Start menu and open the Windows Defender Security Center
• Go to the Virus & Threat Protection settings section
• Set the switch to On

Here the user can also add other folder besides the default folders that are already selected by default.  These default folders are the ones that are typically targeted by Ransomware.   Last year, we wrote a blog about how it is possible to protect these folders from unauthorized file creation by making Software Restriction Policies either locally, or delivering them through Group Policy or SCCM.

Stop Ransomware way before endpoint level

There are a growing number of tools available to combat ransomware at the endpoint, but the truth is, it’s vital to stop ransomware before it gets to the device level.  As rampant as ransomware is today, there are some concrete steps that an organization can take to effectively prevent an attack.

1.  Email protection is paramount as email continues to be the primary launching mechanism for ransomware.  Ransomware distributers use embedded links and attachments to entice unsuspecting users to click these and launch malware deployments.  Today’s email security solutions must do more than just stop SPAM.  An email security solution today must also block and eradicate viruses, malware, infected attachments and links to malicious websites.  Besides ransomware, an email security solution will also protect your users from phishing attacks and BEC attacks.
2. Web filtering – Users can inadvertently download ransomware by visiting a malware launching site or by simply browsing a drive-by website.  Many sites are infected with ransomware installation files that have been deposited there by hackers.  A modern day web filtering solution protects the Internet sessions of your users in two ways.  It first blocks access to known malicious or malware infected sites.  Then it filters all web traffic through a gateway antivirus. 
3.  Patching and Updating – Keeping your operating systems, applications and web browsers patched and up to date is imperative.  Had enterprises simply installed update (MS17-010) on its non-supported Windows devices, they could have escaped free of the damage that WannaCry inflicted to so many networks with legacy Windows devices.  There is a reason why vendors regularly release patches and updates for their customers.  New zero-day vulnerabilities are continually being discovered, forcing developers to release patches to combat these as quickly as possible.  Patching and updating is probably the most important routine task for any IT team.
4. 3-2-1 Backup Model – Backing up your data is a critical function in the protection of your data.  It is important to follow best practices when conducting regular backups of your data to ensure that your backups can be properly restored if that fateful day ever comes to fruition.  The 3-2-1 model simply transcribes into the following practice:

• Retain 3 copies of your data
• Utilize 2 types of media for them
• Keep 1 copy offsite at all times

Following this proven model will allow you to quickly restore corrupted or lost data in the event of drive failure, disaster recovery, and of course, malware encryption.

Are you an IT professional that wants to ensure sensitive data and devices are protected?  Talk to a specialist or  email us at info@titanhq.com with any questions.