Ransomware is a type of malicious software that encrypts files on a computer and demands payment to decrypt them. Ransomware attacks have become increasingly common in recent years, affecting individuals, businesses, hospitals, and government agencies. As ransomware has grown more sophisticated, Microsoft has introduced new security features in Windows 10 aimed at detecting and stopping ransomware.
How does ransomware infect computers?
Ransomware typically spreads through phishing emails containing infected attachments or links. When a user opens the attachment or clicks the link, the ransomware installer is downloaded onto their computer. It then encrypts files on the computer’s hard drive as well as mapped network drives and external storage devices like USB drives. Once files are encrypted, the ransomware displays a ransom note demanding payment, often in the form of cryptocurrency like Bitcoin. If the ransom is not paid, the attackers threaten to delete the encryption key, making it impossible to access files.
What capabilities does Windows 10 have to detect ransomware?
Windows 10 has a number of native security tools that can assist in detecting potential ransomware infections or blocking them before encryption occurs:
- Windows Defender Antivirus – Windows 10 comes built-in with Microsoft Defender Antivirus security software. It uses AI and machine learning to identify malware and potentially unwanted applications. Defender can detect many strains of ransomware based on known behaviors and block them from running.
- Windows Defender Application Control – This feature allows only trusted applications defined in your code integrity policies to run. Any unsigned code or unexpected executables will be blocked. This prevents untrusted programs like ransomware from launching.
- Windows Defender Firewall – The built-in firewall monitors network connections for suspicious activity associated with ransomware infections and blocks traffic accordingly.
- Windows Defender Exploit Guard – This set of intrusion prevention capabilities includes attack surface reduction rules to prevent ransomware from leveraging exploits and malicious behaviors.
- Controlled Folder Access – This feature allows only authorized apps to access files in specified protected folders like Documents, Pictures, etc. Ransomware is blocked from modifying content in these folders.
How can Controlled Folder Access help block ransomware?
Controlled Folder Access, introduced in the Windows 10 Fall Creators Update, is designed specifically to counter ransomware attacks. When enabled, it allows only approved apps to make changes to files in certain protected folders. Protected folders include:
- Documents
- Pictures
- Movies
- Desktop
If ransomware attempts to encrypt or modify files in these folders, Controlled Folder Access will block the unauthorized changes. Administrators can customize the list of protected folders as needed. The feature ensures that only trusted software like Office apps or photo editors can alter files, while suspicious applications are prevented from accessing critical data.
What are the limitations of Windows 10’s ransomware protections?
While Windows 10 provides some strong defenses against ransomware, there are some limitations to be aware of:
- New or unknown strains of ransomware may not be detected if they use techniques not recognized by Microsoft’s threat intelligence.
- Systems must be kept up-to-date with the latest Windows security patches and definitions for maximum protection.
- Defender Antivirus must be enabled and running – third-party antivirus solutions minimize Defender’s effectiveness.
- Users can be tricked into disabling some protections or allowing ransomware file access.
- Controlled Folder Access only protects default Windows folders – it must be proactively extended to cover additional folders.
What additional steps can be taken to detect ransomware?
Along with leveraging built-in Windows 10 protections, organizations should take these steps to bolster ransomware detection and prevention:
- Enable and monitor Windows Event Logging to look for signs of ransomware activity.
- Install endpoint detection and response (EDR) tools that provide behavioral analysis to identify ransomware.
- Regularly backup critical data offline so it can be restored after an attack.
- Keep software, OS, and security tools patch up to date across all devices.
- Educate employees on ransomware prevention best practices.
- Limit user permissions to reduce ability of ransomware to spread and infect.
What Windows Event Logs can reveal ransomware activity?
These key Windows Event Logs can provide indications of potential ransomware infection:
| Event Log | Suspicious Activities |
|---|---|
| Application Log | Errors related to a process failing to access files or performing read/write operations. |
| Security Log | Logon failures, access request errors, privileged use, process creation etc. |
| System Log | Detection of scripts, system restores, Windows Defender actions, driver and library loads etc. |
Monitoring logs from a centralized SIEM can help correlate events across systems and detect ransomware campaigns early. IT should establish baselines of normal activity to more easily spot anomalies that could signal an attack.
How can restricting file permissions limit ransomware?
Ransomware seeks to propagate through file systems and encrypt as many files as possible. Limiting user permissions can slow or stop ransomware infection:
- Use least privilege – restrict users to only the file/folder access they absolutely need.
- Limit Write and Modify permissions to prevent changes to files.
- Make users Read Only on key folders like Documents and Pictures.
- Disable inheritance on sensitive folders to prevent permissions passing down from parents.
- Assign Modify only at folder root level to stop creating new files.
Combining permissions with Controlled Folder Access ensures users can only read or modify content via allowed apps. Ransomware will be blocked from making any changes even if it gets running on a system.
Should all third-party antivirus tools be removed?
Microsoft recommends excluding third-party antivirus products from systems using Windows Defender Antivirus for maximum ransomware protection. This is because Windows Defender and third-party antivirus cannot run side-by-side without conflicts. However, organizations should carefully test Defender’s capabilities before removing established antivirus software completely. The best solution may be:
- Assess capabilities of Defender versus third-party antivirus using testing scenarios.
- Determine if Defender can adequately replace the protection provided by existing antivirus.
- Gradually roll out Defender across specific systems, monitoring for issues.
- Only remove third-party antivirus once confident in Defender’s protection.
Defender may provide sufficient ransomware defense for many organizations. But broader threat detection or specialized features like application controls may still warrant keeping third-party antivirus, while excluding it from Defender protected systems.
How can users be educated to prevent ransomware infections?
End user education is crucial to limiting ransomware infections. Training should focus on high-risk activities including:
- Identifying phishing emails used to deliver ransomware.
- Avoiding clicking links and opening attachments from unknown senders.
- Using caution with public WiFi networks that can facilitate attacks.
- Ensuring software, OS, and security tools stay patched and updated.
- Enabling multi-factor authentication wherever available.
- Backing up data regularly to offline, encrypted storage.
- Watching for warning signs like unable to access files, renamed files, ransom notes.
- Promptly reporting potential infections to IT.
Simulated phishing exercises combined with engaging training content like videos and quizzes will empower users to make smart security decisions and provide a last line of defense against ransomware.
Should organizations pay the ransom if infected?
Paying ransom demands is generally not recommended for several reasons:
- There is no guarantee files will be recovered – attackers may simply take the money.
- It encourages more attacks by funding criminal operations.
- There are often alternative ways to recover encrypted files without paying.
- It may violate laws or regulations prohibiting payments to sanctioned entities.
- It signals the organization is an easy target willing to pay more in the future.
The FBI and cybersecurity experts caution that paying ransoms should only be a last resort. Focus should be on preventing infections through security controls like those in Windows 10 and regularly backing up critical data offline. If ransomware does strike, contact law enforcement immediately. They may be able to assist recovering files without paying the criminals.
Conclusion
Windows 10 provides advanced native tools that serve as a first line of defense against ransomware attacks. Features like Windows Defender Antivirus, Controlled Folder Access, and Windows Defender Firewall prevent infections from taking hold and spreading. Training users on threats and leveraging strong technical controls minimize the organization’s risk. While no single solution can guarantee stopping all ransomware, smart investments in layered security on Windows 10 provide robust protections against malicious encryption efforts.
