Archive

Archive for May, 2016

Security baseline for Windows Server 2016 Technical Preview 5 (TP5)

May 27th, 2016 No comments

Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical Preview 5 (TP5). The final version of Windows Server 2016 will differ from the TP5 pre-release, and this security guidance will change as well. Both TP5 and this guidance are offered for evaluation purposes and we look forward to your feedback.

Download the content here: Server 2016 Beta.zip

Our Windows 10 guidance differed dramatically from our past Windows client baselines (as described here), and our evolving Windows Server guidance is following suit. In addition to the changes described in that blog post, there are a few additional differences between this new guidance and both the Windows Server 2012 R2 guidance and the Windows 10 TH2 guidance:

  • Advanced Auditing setting for Account Lockout changed from Success to Success+Failure. We will also make this change in the next revision of our Windows 10 guidance. This change is needed so that account logon failures are audited when the failure reason is that the account is locked out.
  • Some settings not relevant to Windows Server, such as Wi-Fi Sense, are omitted.
  • BitLocker is not included in the Windows Server baseline.
  • Internet Explorer is introducing a new Group Policy control, “Allow only approved domains to use the TDC ActiveX control.” We are enabling that setting in the Internet and Restricted Sites zones. We will also make this change in the next revision of our Windows 10 guidance, where it will be more important.
  • Reverted “Apply local firewall rules” and “Apply local connection security rules” to Not Configured for the Public firewall profile, enabling organizations to make their own decisions. This is a difference from the Windows 10 guidance. Internet-facing servers have varied purposes and there is a greater need for flexibility in these settings than for Windows client.
  • Removed the recommendations for specific values in the User Rights Assignments “Replace a process level token” and “Adjust memory quotas for a process.” The defaults are good and the settings are unlikely to be abused for nefarious purposes. Also, during installation some products need to grant these rights to product-specific accounts, and later break when a Group Policy reverts them back to the Windows defaults. We will also make this change in the next revision of our Windows 10 guidance.

This baseline is designed for the Member Server scenario. The final version will also include a baseline for Windows Server 2016 Domain Controller. In addition to the differences between the Member Server and DC baselines for Windows Server 2012 R2 (*), the differences for Windows Server 2016 DCs will include:

  • Do not apply the LAPS setting, “Enable local admin password management,” to DCs.
  • The “Hardened UNC Paths” setting should not be applied to DCs.

(*) You can review the differences between these baselines using Policy Analyzer.

Categories: Uncategorized Tags:

Link (.lnk) to Ransom

May 27th, 2016 No comments

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

 

Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

zcrypt = {path of the executed malware}

 

It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%zcrypt.lnk

..along with a copy of itself as {Drive}:system.exe and %appdata%zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:usersadministratorappdataroamingzcrypt.exe

Payload

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A  ransom note

 

It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr

 

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %AppData%cid.ztxt

For example, c:usersadministratorappdataroamingcid.ztxt

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

*Related macro malware information:

 

Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection

May 26th, 2016 No comments

Every month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.

 

Enabling Windows 10 Limited Periodic Scanning

If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

  1. Navigate to Settings -> Update & Security -> Windows Defender.
  2. Turn Limited Periodic Scanning on.

Screenshot of the Limited Periodic Scanning option

If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.

 

Notifying you of threats found on your PC

When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

Screenshot of the Windows Defender scan notification

Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit: http://www.microsoft.com/security.

 

 

Deepak Manohar

Microsoft Malware Protection Center

MS16-MAY – Microsoft Security Bulletin Summary for May 2016 – Version: 2.1

Revision Note: V2.1 (May 25, 2016): For MS16-065, added a Known Issue to the Executive Summaries table. After you install any of the security updates that are included in MS16-065 on a Front End or Standard Edition server for Lync Server 2010, Lync Server 2013, or Skype for Business Server 2015, several conferencing modalities no longer function for internal users. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3165438.
Summary: This bulletin summary lists security bulletins released for May 2016.

Categories: Uncategorized Tags:

MS15-JUL – Microsoft Security Bulletin Summary for July 2015 – Version: 3.1

Revision Note: V3.1 (May 25, 2016): For MS15-076, added a Known Issues reference to the Executive Summaries table. For more information, see Microsoft Knowledge Base Article 3067505. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3155218.
Summary: This bulletin summary lists security bulletins released for July 2015.

Categories: Uncategorized Tags:

MS15-134 – Important: Security Update for Windows Media Center to Address Remote Code Execution (3108669) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (May 25, 2016): Removed the mitigating factors for CVE-2015-6131 and CVE-2015-6127. These are informational changes only.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-054 – Critical: Security Update for Microsoft Office (3155544) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Corrected the updates replaced for Microsoft Office 2013 to 3114486 in MS16-004, and for CVE-2016-0183, clarified that the Preview Pane is an attack vector for this vulnerability. These are informational changes only.
Summary: This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-003 – Critical: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Removed redundant rows from the Vulnerability Severity Rating and Maximum Security Impact by Affected Software table, and added the applicable update numbers for clarity. This is an informational change only.
Summary: This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS15-126 – Critical: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3116178) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Removed redundant rows from the Vulnerability Severity Rating and Maximum Security Impact by Affected Software table, and added the applicable update numbers for clarity. This is an informational change only.
Summary: This security update resolves vulnerabilities in the VBScript scripting engine in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the Internet Explorer rendering engine to direct the user to the specially crafted website.

Categories: Uncategorized Tags:

MS15-JUL – Microsoft Security Bulletin Summary for July 2015 – Version: 3.1

Revision Note: V3.1 (May 25, 2016): For MS15-076, added a Known Issues reference to the Executive Summaries table. For more information, see Microsoft Knowledge Base Article 3067505. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3155218.
Summary: This bulletin summary lists security bulletins released for July 2015.

Categories: Uncategorized Tags:

MS16-054 – Critical: Security Update for Microsoft Office (3155544) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Corrected the updates replaced for Microsoft Office 2013 to 3114486 in MS16-004, and for CVE-2016-0183, clarified that the Preview Pane is an attack vector for this vulnerability. These are informational changes only.
Summary: This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-134 – Important: Security Update for Windows Media Center to Address Remote Code Execution (3108669) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (May 25, 2016): Removed the mitigating factors for CVE-2015-6131 and CVE-2015-6127. These are informational changes only.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Categories: Uncategorized Tags:

MS16-003 – Critical: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Removed redundant rows from the Vulnerability Severity Rating and Maximum Security Impact by Affected Software table, and added the applicable update numbers for clarity. This is an informational change only.
Summary: This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS16-MAY – Microsoft Security Bulletin Summary for May 2016 – Version: 2.1

Revision Note: V2.1 (May 25, 2016): For MS16-065, added a Known Issue to the Executive Summaries table. After you install any of the security updates that are included in MS16-065 on a Front End or Standard Edition server for Lync Server 2010, Lync Server 2013, or Skype for Business Server 2015, several conferencing modalities no longer function for internal users. For information about the solution for this Known Issue, see Microsoft Knowledge Base Article 3165438.
Summary: This bulletin summary lists security bulletins released for May 2016.

Categories: Uncategorized Tags:

MS15-126 – Critical: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3116178) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (May 25, 2016): Removed redundant rows from the Vulnerability Severity Rating and Maximum Security Impact by Affected Software table, and added the applicable update numbers for clarity. This is an informational change only.
Summary: This security update resolves vulnerabilities in the VBScript scripting engine in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the Internet Explorer rendering engine to direct the user to the specially crafted website.

Categories: Uncategorized Tags:

Estonia leading the way in driving digital continuity for government services

May 24th, 2016 No comments

We are at the threshold of unprecedented value creation for industry and society, driven by the accelerating pace of change enabled through digital technology. Whether it is about bringing together patient records so they can be shared quickly for better patient outcomes, or reimagining connectivity and predictive maintenance for cars to meet the expectations of road safety, digital transformation is changing how we work and live.

Called the Fourth Industrial Revolution, this significant disruption of traditional industries is fueled by speed, the falling cost of technology and how quickly companies are growing. There is broad agreement that the economic opportunity from digital transformation could be as high as $100 trillion across all industries over the next decade. But this impact is broader than economics alone. For instance, Governments must also consider the unique role they play in communities – literally holding the keys to the city, powering the grids, administering the most critical public systems. And it’s not just about implementing this or that technology to improve services, but building digital resilience to minimize interruption. Estonia is a great example of a government reinventing its systems. Microsoft is a proud partner.

Long considered a member of the Public Sector “Digital Masters,” Estonia continuously demonstrates a transformative vision. From embracing incubation and innovation, to trying out new ideas in a thoughtful, bold and measured way, stuff happens first in Estonia.

After exploring the broad concept of a digital “data embassy” (the focus of a joint Phase I research project), Estonia and Microsoft were interested in advancing strategic Information and Communications Technology (ICT) principles around “digital continuity.” In the face of natural or man-made interference, could cloud capabilities enhance digital resilience of government services? The Estonian Chief Information Officer and Microsoft set the course to find out.

In the process of this joint research project, we chose to evaluate the technical and policy aspects of “failing over” a critical government service in Microsoft Azure in the event of a disruption – part of a core element of meeting the needs of an advanced digital society and innovative government. Microsoft and the Estonian Ministry of Economic Affairs and Communications assessed the Estonia Land Register, the official digital record of land ownership in Estonia. Could the records be migrated to, and hosted on, the Microsoft Azure cloud computing platform? What technical and policy questions needed to be considered? Today, we published a video and our Proof of Concept findings in a Summary Report.

The Summary Report concludes with six recommendations for any government considering cloud computing. We continue to evaluate some of the harder questions about the operational requirements needed to support effective migration to and how to build trust in the public cloud.

Microsoft is delighted to participate in, learn from, and co-lead research projects such as this one, with the Estonia CIO and team. Public-private partnerships can advance digital transformation for governments, in turn, helping them better serve their citizens, empower their employees, optimize operations and transform their societies.

Categories: Cloud Computing, cybersecurity Tags:

What do Goldie Hawn, Kobe Bryant, Al Gore, Jessica Alba, Tony Blair, Wayne Gretzky, and Microsoft’s Tim Rains all have in common? The Milken Institute Global Conference 2016

May 20th, 2016 No comments

052016_01

A couple of weeks ago I was very honored to participate in a panel at the Milken Global Conference. This was an excellent event with a true C-suite audience in attendance. The list of speakers at this event was unbelievable.

The panel I participated on was called “Cyber Resilience: New Line of Defense for Business.” We discussed many topics including the current state of the threat landscape and available security mitigations, communicating effectively with boards of directors on security risks and mitigations, supply chain security challenges, the shortage of security talent across the industry, and others.

You can watch a video of this panel and get details on all the panelists here.

Tim Rains
Director, Security

Categories: cybersecurity Tags:

The 5Ws and 1H of Ransomware

May 19th, 2016 No comments

For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada.

Ransomware geographical distribution for from February to April 2016

The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about ransomware. Due to the global ransomware incidents, the Swiss government along with some industry players will also hold the Ransomware InfoDay today, May 19, 2016, as part of the ransomware awareness campaigns.

The following table shows the top 20 countries where ransomware is most prevalent.

Top 20 countries with the most prevalent ransomware incidents

This blog answers the frequently asked questions (who, what, where, when, why, and how) about a malware with an effect so tangible that it manages to lock your files, extort money from you, and disrupt important public and private operations.

Case in point: RANSOMWARE

 

Whom does it affect?

You! Do you use any mobile devices, PC, laptop, or the internet for surfing, emailing, working, or shopping online?Who could be a ransomware victim?

If yes, then you are a potential ransomware victim. Ensure that precautionary measures are taken, see the Prevention section for details.

 

 

What is ransomware?

Ransomware is a malware that stealthily gets installedWhat is ransomware? in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and fromaccessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure. See our Ransomware page for details.

 

 

What does a ransomware attack look like?

Ransomware targets your pictures, documents, files, and data that are personally invaluable.

You can tell that you are under attack when you see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

However, the ransomware attack symptom varies from one ransomware type to another:

Sample ransomware lockscreens and ransom notes

 

What!?! There are several ransomware types?

Yes. From the time that it first surfaced in 1989, ransomware morphed into different forms as it assimilates to people’s computing habits, leverage recent technologies, and monetization strategies available.

There are two types of ransomware – lockscreen ransomware and encryption ransomware.

  • Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.
  • Encryption ransomware changes your files so you can’t use them. It does this by encrypting the files – see the Details for enterprises section if you’re interested in the technologies and techniques we’ve seen.

Older versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency.

These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

Ransomware history from 1989 to 2016

 

Where can a ransomware attack happen?

R_consumer7Computers and mobile devices.

Ransomware employs its encryption and monetization strategies across PC and mobile devices.

 

 

 

 

When can a ransomware attack start?Ransomware attack workflow

Potential victims can fall into the ransomware trap if they are:

  • Browsing untrusted websites
  • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
    • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
    • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
  • Installing pirated software, outdated software programs or operating systems
  • Using a PC that is connected to an already infected network

 

Why do malware perpetrators victimize people with ransomware?

Because they have malicious or criminal intentions, and see it as an easy way to make money. They take advantage of people’s ignorance, unpatched software vulnerability, or zero-day vulnerability.

Ransomware in the news affecting crucial public and private services

 

On the other hand, it mars an enterprise company’s security and reputation as some ransomware incidents halt crucial services such as hospitals – thus forcing infected users to pay up if they haven’t backed up their data.

Why must you educate yourself about ransomware?

Because it can take your hard-earned money in exchange of the stuff you already own – your data or files!! Exxroute ransomware, for example, demands $500 and doubles the ransom as you delay the payment. It also starts deleting your files if you delay the payment.

It can also violate your privacy, disrupt your work or personal life, and possibly harm your reputation.

If the ransomware perpetrators are cashing in on people’s ignorance, then educating yourself about it can help disrupt their business.

Download the ransomware infographics here.

How can you avoid and bounce from a ransomware attack?

Prevention

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

3. Recover your files in your OneDrive for Consumer.

4. Recover your files in your OneDrive for Business.

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal.

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore.

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

Microsoft Malware Protection Center

 

2880823 – Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program – Version: 2.0

Revision Note: V2.0 (May 18, 2016): Advisory updated to provide links to the current information regarding the use of the SHA1 hashing algorithm for the purposes of SSL and code signing. For more information, see Windows Enforcement of Authenticode Code Signing and Timestamping.
Summary: Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Categories: Uncategorized Tags:

MS16-035 – Important: Security Update for .NET Framework to Address Security Feature Bypass (3141780) – Version: 2.1

Severity Rating: Important
Revision Note: V2.1 (May 18, 2016): Revised bulletin to clarify the distribution audience for the Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 security updates that were re-released on May 10, 2016, as follows: The security updates for Microsoft .NET Framework 4.5.2 have been re-released to Limited Distribution Release (LDR) customers only. The security updates for Microsoft .NET Framework 4.6/4.6.1 have been re-released to all customers.
Summary: This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.

Categories: Uncategorized Tags: