Ransomware has taken the world by storm this year, costing millions for businesses around the world. In the last 12 months alone, the number of ransomware variants spotted in the wild has more than doubled. As its prevalence has increased, so has the complexity of the attacks, and new ways to defend against them have been developed. Microsoft have been known to take the ransomware threat very seriously, even releasing a security patch for the long obsolete Windows XP operating system in the wake of the infamous WannaCry attack back in May. With the realease of the Windows 10 Creators Update (build 1703), now there are even more features built right in to the OS that can prevent and protect against ransomware. In fact, it’s so secure that Microsoft claim no Windows 10 devices were affected by WannaCry.
The Creators Update of Windows 10 is Microsoft’s most secure operating system yet, containing many anti-ransomware features
Miscrosoft’s Edge browser, designed for Windows 10, has received several new security features. One of the important features new to Edge is how it handles Flash, a plugin known to be targeted by cyber criminals looking for vulnerabilities. If a site attempts to use Flash, Edge now prompts users to allow or disallow it to run. This helps protect against ransomware strains that rely on Flash automatically running, ensuring users only run Flash content they desire. When a user does allow Flash to run, Edge opens the page within an app container sandbox, adding a layer of separation from the rest of the machine and ensuring that the system is not affected by malicious web content.
Windows Defender Antivirus
Windows Defender AV is built into Windows 10 and automatically blocks most ransomware and other malicious programs at first sight, using “client-based machine learning models, behavioural analysis, and generic and heuristic-based detections”. In the Creators Update, Defender AV can suspend those suspicious files from running until it can verify it against a cloud protection service, where the file is evaluated using advanced techniques in a controlled detonation chamber. Critically, files can now be determined as malicious or safe within seconds, and any programs found to contain malicious code are flagged as such to the cloud database within minutes.
Another feature introduced in Windows 10, Device Guard is a virtualisation-based lockdown security feature. It protects devices by preventing threats like ransomware from running, limiting their impact even if they manage to get on the device. It works by only allowing apps to run that are authorised by the company. Device Guard can also be used to control applications and control whether specific plug-ins, add-ins and modules can run from specific apps, reducing the attack surface for malware to embed itself in. Device Guard is only available for Windows 10 version Enterprise E3 and up.
Improved detection for script-based attacks
Ransomware attacks are often initiated using JS and VBS script-based malware, particularly in the last two years. Cyber criminals use these malicious scripts to obfuscate the characteristic data and evade detection. These techniques have evolved to the point where malicious code can be dynamically built, resulting in malware that does not even get saved to the disk. To combat this, the Creators Update has a feature called Antimalware Scan Interface (AMSI), which executes during strategic points in JS or VBS scripts. This allows providers to inspect content via ASMI, enabling them to identify and detect malicious code, effectively bypassing the obfuscation techniques used by the malware to hide its code. ASMI is utilised by Windows Defender AV in order to detect and block malware from downloading malicious scripts files and executing ransomware.
Enhanced behavioural analysis & Wow64 compatibility scanning
Microsoft has baked a slew of new features into the Creators Update, including enhanced behavioural analysis to remediate ransomware infection and limit ransomware activity from minutes to seconds. This is achieved by improving Windows Defender AV’s behavioural engine, allowing it to track malware across multiple processes and block even malware which separates its attack into multiple stages, a technique previously used to bypass antivirus software. Another feature introduced into Windows 10 is a process-scanning feature that uses the Wow64 compatibility layer, enabling it to better inspect system interactions of 32-bit applications running on 64-bit operating systems.
Advanced Threat Protection
Windows Defender AV’s Advanced Threat Protection (ATP) capabilities have been enhanced with more advanced behavioural and machine learning detection libraries across the ransomware infection process. These improvements aim to identify patient zero as quickly as possible, through the ability to hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviours, machines and users. This can be done immediately by searching the organisation’s cloud inventory, which covers even machines that are offline, have been reimaged or no longer exist – for up to six months back in time. Advanced Threat Protection is only available for Windows 10 version Enterprise E5.
With cyber crime on the rise, security has become a major concern for businesses, and Microsoft have recognised this. Windows 10 was designed to be their most secure platform yet, and they are continuing to harden it against even the most advanced malware and hacking techniques. The Creators Update is the next-generation in terms of its ability to protect, detect and respond to ransomware threats. In contrast, Windows 7 was the OS hit hardest by recent ransomware attacks, as it lacks these sophisticated features. Ransomware aside, there are high profile hackings happening on an increasingly frequent basis, with no business too big or too small to be targeted. It may be time for companies to say goodbye to Windows 7 and take advantage of the advanced security suite available in Windows 10.
Note: Some of these features may require specific versions of the Windows 10 OS, such as Pro or Enterprise editions. For a full comparison of security features available for Windows 10, please see this Microsoft Comparison Table.