Threat management and protecting against ransomware attacks
Ransomware attacks are on the rise. A recent post on the Microsoft Malware Protection Center blog details new attacks that occurred during the holidays at the end of 2016. Ransomware prevents you from using your PC and holds your PC or files for "ransom." When this form of attack occurs, it makes it abundantly clear that a company must rethink its approach to planning, deployment, and implementation of endpoint protection.
Companies can prevent these attacks by moving to a preparation-based strategy. Executives - CIOs, CISOs, IT Directors - should use the business impact of ransomware attacks to create awareness of the need for resources that improve their operations in all stages of ever-changing security architectures.
In this post, I'll cover the Microsoft services that protect against ransomware threats, and share the resources you can use to educate users about identifying ransomware, as well as best practices for proper cybersecurity.
What is ransomware?
While there are different types of ransomware, all of them will prevent you from using your PC normally and will ask you to do something before you can get access to your PC. Ransomware attacks can target any PC user, whether on a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider.
Ransomware can disable critical business systems and make your files unavailable. You'll receive a demand that you pay money (a ransom) to get access to your PC or files. There is no guarantee that paying the fine or doing what the ransomware tells you to do will restore access to your PC or files. Once files are encrypted, they are virtually impossible to recover.
Throughout 2015, the average number of ransomware infections fluctuated between 23,000 and 35,000 per month, according to this Symantec report. The spike to 56,000 infections in March 2016 coincided with the arrival of the new ransomware Locky, distributed primarily by the Necurs botnet, which is one of the largest networks of infected computers in the world.
Microsoft threat management
Microsoft threat management includes protection from both malicious software and attacks against systems and networks. Microsoft products and services, including Microsoft Azure, Office 365, Enterprise Mobility + Security, and Windows 10 have built-in protection features. These security technologies and practices apply best-in-class machine and human analysis to detect advanced threats when a user is under attack (known exploits, zero days, suspicious actors), detect compromised systems (malware and persistent implants, other indicators of compromise, new threats) and responses when a user is vulnerable. Out of date applications and systems, unpatched systems and applications, and unauthorized apps introduce high risk.
Microsoft Operations Management Suite
Microsoft Operations Management Suite provides a comprehensive view into your organization's IT security posture with built-in search queries for notable issues that require your attention. The Security and Audit dashboard is the home screen for everything related to security in OMS. It provides high-level insight into the security state of your computers and can detect outgoing network traffic leaving your network for a malicious location. Additionally, the Wire Data solution will help you analyze by protocol, volume, and IP address the data being moved off your network.
Azure Backup is a simple and cost-effective back-up-as-a-service solution that extends tried-and-trusted tools on-premises with rich and powerful tools in the cloud. This can help a customer recover data that has been encrypted by ransomware.
Microsoft Office 365
Advanced Threat Protection
Provides robust protection against “Zero-Day” attachments and real-time protection of users against harmful links.
Advanced Security Management
With Advanced Security Management, you get alerts that you can set up by using policies to notify you about anomalous and suspicious activity. And you can also get Productivity App discovery, which lets you use the information from your organization's log files to understand and act on your users' app usage in Office 365 and other cloud apps.
Microsoft Edge web browser
Keeping browsers and other software up-to-date can counter the impact of exploit kits. Microsoft Edge is a secure browser that gets updated automatically by default. It also has multiple built-in defenses against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, Microsoft SmartScreen, which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages such as landing pages used by exploit kits.
Windows Defender uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.
Windows 10 Enterprise includes Device Guard, which can lock down devices and provide kernel-level virtualization based security.
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.
When combined, the technologies and practices built into Microsoft products provide comprehensive protection from ransomware attacks. But one of the best ways to protect against ransomware is to educate users about these threats and how to prevent them.
- Threat management on the Microsoft Trust Center
- Microsoft Malware Protection Center blog
- How to recognize phishing email messages, links, or phone calls
- Windows 10 security overview
- Enhanced Mitigation Experience Toolkit
- Windows Server Update Services
- Securing Privileged Access
- Office 365 Exchange Online Advanced Threat Protection
- Office 2016 Internet Macro Blocking
- Office 2013 VBA Macro Blocking (blocks all macros)
- System Center Endpoint Protection / Windows Defender with Microsoft Active Protection Service
- Reporting ransomware to the FBI
- 10 tips to protect your files from ransomware
- Surviving ransomware: Lessons from IT Pros Who Didn't Pay
- Application whitelisting with Applocker