Ransomware has accentuated itself to become the most recognized network security threat in the world today and technology vendors are releasing a growing arsenal of tools to help combat it. Earlier this year, Microsoft took the unprecedented step of releasing update (MS17-010) for the Windows XP operating system. Though XP is no longer supported, this update was released in order to address a vulnerability that could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. This known vulnerability later became the exploit used in the WannaCry and Petya outbreaks that infected thousands of devices the past couple of months.
Just last week, Microsoft announced the release of a new anti-ransomware feature in its latest Windows 10 Insider Preview Build (16232). Microsoft is currently planning to introduce this tool, as well as other security features in the upcoming Windows 10 Creator Update, which has an expected release date in fall of this year. This ransomware combatant tool called “Controlled Folder Access” is designed to block unauthorized applications from creating new files or modifying existing files located in designated “protected” folders that are important. This is achieved through the use of an application whitelist. If the app is not on the list, Windows Defender blocks its execution.
This is the same concept as Microsoft’s AppLocker feature that has been available for a number of years for select Windows operating system versions such as Enterprise and Education. AppLocker whitelists can be deployed through group policy to those devices with supported operating systems. For those who subscribe to Microsoft Intune, you can import AppLocker policies into the Intune management interface via an XML file. With Controlled Folder Access, application whitelisting will be available for all Windows 10 computers through the Windows Defender Security Center. To currently access this feature:
Here the user can also add other folder besides the default folders that are already selected by default. These default folders are the ones that are typically targeted by Ransomware. Last year, we wrote a blog about how it is possible to protect these folders from unauthorized file creation by making Software Restriction Policies either locally, or delivering them through Group Policy or SCCM.
There are a growing number of tools available to combat ransomware at the endpoint, but the truth is, it’s vital to stop ransomware before it gets to the device level. As rampant as ransomware is today, there are some concrete steps that an organization can take to effectively prevent an attack.
Following this proven model will allow you to quickly restore corrupted or lost data in the event of drive failure, disaster recovery, and of course, malware encryption.
Are you an IT professional that wants to ensure sensitive data and devices are protected? Talk to a specialist or email us at email@example.com with any questions.
Sign-up for email updates...