Microsoft says it hardened its ransomware defenses in Windows 10 Anniversary Update in the face of skyrocketing infection rates and a doubling in the number ransomware variants released into the wild over the past 12 months.
In a whitepaper (PDF) released last week, Microsoft explained its latest anti-ransomware solutions bundled this past August with the release of Windows 10 Anniversary Update. One of those improvements includes an updated Microsoft Edge browser with advanced sandboxing technology specific to the exploit-magnet Adobe Flash Player.
Other anti-ransomware hardening includes applying a machine-learning infrastructure and cloud-based approach for identifying, classifying and protecting against specific ransomware attacks in seconds rather than hours, according to Microsoft.
“The ways attackers are executing attacks are becoming more complex, and the results of the attack are becoming increasingly costly to its victims,” Microsoft wrote in its report. In fact, it’s fair to say, 2016 has been a devastating year for many individuals and companies stung by ransomware.
Between April 2015 and March 2016 the number of users hit by ransomware rose 17.7 percent worldwide compared to the prior year, according to Kaspersky Lab. Incidents of encryption-based ransomware that locks up data on a PC has risen five-fold over the past year jumping from 6.6 percent in 2014/2015 to 31 percent the preceding year.
Microsoft says it has bolstered Windows 10 to reflect those changing tactics of criminals. The company, in a push to get customers to upgrade, says its Windows 10 Anniversary Edition users are 58 percent less likely to encounter ransomware than when running Windows 7.
Windows 7 is still the dominant version of Microsoft’s OS in use today with 48 percent market share compared to Windows 10 with 22 percent, according to the most recent data available from Net Market Share. Windows 8 is the third most popular Windows OS in use with 8.4 market share followed closely by Windows XP with 8.2 percent.
Much of Microsoft’s anti-ransomware hardening centers on its Edge browser defenses. Microsoft said that between January and July, six of the top 10 ransomware threats used email and browser exploits, or browser-plug-in related exploits, with the remaining four using browser exploits.
To that end, in Windows 10 Anniversary Update, Adobe’s Flash Player is isolated when running in the Edge browser and has its own dedicated application container. In addition to container management, Microsoft adds new kernel protection to Windows 10 Anniversary Update that limits the ways in which system calls can be used by Microsoft Edge, according to Microsoft.
“If a malware author attempts using a vulnerable system call to escape the browser’s sandbox and download and install ransomware in a way that does not fit within these new restrictions, Microsoft Edge will block the system call, preventing the attack,” Microsoft said.
Part of Microsoft’s anti-ransomware security also includes a combination of human and machine learning to protect against malware. On one hand, Microsoft bolsters its Edge browser with its SmartScreen Filter (introduced with Internet Explorer 8). It’s SmartScreen Filter roughly competes with Google’s Safe Browsing initiative in that they both use a human and machine-generated URL blacklists to block users from visiting unsafe sites.
Over the past six months, Microsoft says it has also been leveraging its machine-learning technology and cloud-based automatic sample submission features in Windows Defender to help block ransomware from inboxes. Using both can block previously unidentified malware, Microsoft says. “Definition updates can take hours to prepare and deliver; our cloud service delivers this protection in seconds,” Microsoft said.
As part of Windows Anniversary Edition the company introduced Windows Defender Advanced Threat Protection (ATP), a new service that gives remote security staff members a shared dashboard to view security events and alerts in their network and mitigate remote threats.
Despite ransomware victories, such as CrySis being neutralized via the release of master decryption keys, the threat of ransomware persists with most strains targeting Windows users. In August, ransomware called Fantom was discovered masquerading as a fake critical Windows update. Last summer, shortly after Windows 10 was released, attackers began launching spam and phishing email campaigns around the operating system. Victims received messages claiming users could upgrade to Windows 10 for free. Those who downloaded the malicious .zip archive were ultimately hit with CTB-Locker ransomware and had their files encrypted.