Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
captain_to_fire

Windows 10 (Build 16232) will try to combat ransomware by locking up your data

Recommended Posts

9 minutes ago, LAwLz said:

I don't think SecureBoot does what you think it does, or don't know what Petya does.

SecureBoot does not prevent Petya.

Quote

Correct me if I'm wrong with this but from what I understand with secure boot, it will only block execution of malware upon boot like preventing a malware infested flash drive from interfering with the boot process. But from what I understand, most ransomware attacks are executed when the OS is already loaded and the user is logged in. Petya, from what I knew at the moment will encrypt not the user's files but the master boot record when the user is already logged in. So yeah, secure boot only protects against rootkits but not ransomware.

UEFI means that it uses GPT not MBR, and SecureBoot prevents boot replacement. So you protect yourself from both entry way against Petya.

The majority of system infected by Petya were Windows 7 pre-SP1. System of the time were on BIOS.

 

Nothing is full proof, but it makes it harder and harder and harder to make ransomware. Right now, anyone with basic C# .NET skills can make one. So like a 8 year old kid can do it. Won't be good, but they can do it. The idea is to make it very hard to not encourage this, and just not make it worth it. Like viruses, and malware, ransomware aren't going away. But we have much less viruses, and malware than before.

Link to post
Share on other sites

 

6 minutes ago, GoodBytes said:

You need to pass through UAC first. No one is real admin under Windows.

 

Aye but thats just part of the issue - I know far to many people that just click ok or accept at this part of UAC not bothering to read what it actually is! 

 

Link to post
Share on other sites
Posted · Original PosterOP
4 minutes ago, GoodBytes said:

 

UEFI means that it uses GPT not MBR, and SecureBoot prevents boot replacement.

I looked up this article on the differences between MBR and GPT but I think it's more about partitioning and recovery from data corruption rather than security aside from the Secure boot in UEFI. If the actual OS files are encrypted, I don't think it will matter if a PC boots using MBR or GPT.

 


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites

By the way, it seems like this new feature won't really help.

I've seen several security people say that it can easily be bypassed with for example a very simple code injection to explorer.

 

1 hour ago, GoodBytes said:

UEFI means that it uses GPT not MBR

Petya destroys the GPT data too.

What happens is that Petya actually assumes that you are using MBR, so it encrypts the MBR part and then continues to write its own code over the GPT header (because it assumes those sections are unused like they would if you use MBR). It also goes on to destroy the VBR for each partition.

 

1 hour ago, GoodBytes said:

SecureBoot prevents boot replacement.

No it doesn't. Secure Boot prevents unsigned/untrusted code from executing during boot.

It prevents it from starting, but does not prevent it from being written in the first place. So it would block the ransome note from being displayed (since that would not pass the signature checks), but it would not block the file system info from being corrupted.

Link to post
Share on other sites

It can break GPT, but not replace it to boot itself to encrypt your data (if done outside of the OS) or ask for money outside of the OS. It big ditter.

Link to post
Share on other sites
9 minutes ago, GoodBytes said:

It can break GPT, but not replace it to boot itself to encrypt your data (if done outside of the OS) or ask for money outside of the OS. It big ditter.

You can bypass the boot record and rewrite it via live cd or a recovery disk, but if the partition table (i.e. the "map" of where everything is) gets overwritten, it doesn't matter if your data gets encrypted or not. You're still not going to find your again (especailly if it is fragmented across the drive) unless you can restore it.

 

Say you had a dd image of /dev/sda (not sda1), then you could restore the drive to its uncorrupted state because you also imaged the partition table and boot record.


Intel i7 5820K (4.5 GHz) | MSI X99A MPower | 32 GB Kingston HyperX Fury 2666MHz | Asus RoG STRIX GTX 1080ti OC | Samsung 951 m.2 nVME 512GB | Crucial MX200 1000GB | Western Digital Caviar Black 2000GB | Noctua NH-D15 | Fractal Define R5 | Seasonic 860 Platinum | Logitech G910 | Samson SR 850 | Logitech G502

Link to post
Share on other sites

Hmm.. true, well partially.

Data can be recovered, requires a lot of effort, bit they are tools that exists that a professional tech IT guy (basically, not Geek Squad), can recover most data. And of course you have actual companies that do data recovery. But, ransomware, which is the topic here, still doesn't have money out of it. 

 

I mean, unless you are in a super closed ecosystem, nothing will help you with black-mail-wares, where a software looks for source code files, documents, and so on, and uploads it a server and ask money. How many companies actually encrypt their data. And even then, they can monitor or inject in a software and access loaded documents... running for a few months without knowledge can make someone get quite a bit of data.

 

I guess I should have clarified on what I wanted to say: Nothing is full proof, the point is to discourage a lot, and make it very difficult to make money.  The criminal making it, isn't interested in a few hundred bucks, it wants potentially millions. If not, it is not worth all the work.

Link to post
Share on other sites
1 hour ago, Metal_Kitty said:

 

Aye but thats just part of the issue - I know far to many people that just click ok or accept at this part of UAC not bothering to read what it actually is! 

 

Absolutely, even if it asks a password, people will put it (Can't wait for fake programs making look like it is the OS asking for a password, but just steal your password). There is just so much one can do to stop stupidity. That is why education is the way forward. UAC is your last line of defense. The point is that, programs can't execute system level stuff without permission.

 

Windows 10 does have a lock down to Store only apps feature, if you are concern about this though. You get to install any software you want, then you lock yourself, and now from that point on, any programs not already installed are blocked from running, beside if it comes from the store.

Link to post
Share on other sites
4 minutes ago, TimeOmnivore said:

Just to confirm, this will be something that you can disable, right?

Nope. Unless you install another A/V.

 

Link to post
Share on other sites
Just now, GoodBytes said:

Nope. Unless you install another A/V.

 

I'm currently using AVG and have Windows Defender turned off, so will this update still apply to me?

Link to post
Share on other sites
13 minutes ago, TimeOmnivore said:

I'm currently using AVG and have Windows Defender turned off, so will this update still apply to me?

You will still get the update coming this October, but it will be disabled, unless something changes from now and the release of the Fall Creators Update, which it can as it is still in dev.

Link to post
Share on other sites
4 hours ago, GoodBytes said:

Data can be recovered, requires a lot of effort, bit they are tools that exists that a professional tech IT guy (basically, not Geek Squad), can recover most data. And of course you have actual companies that do data recovery. But, ransomware, which is the topic here, still doesn't have money out of it. 

That depends on a lot of things. If your data is for example fragmented, or critical parts have been overwritten then you're probably out of luck, even with a professional data recovery method.

Petya also starts encrypting files before the reboot, so those files will probably be lost forever (the files are overwritten).

 

4 hours ago, GoodBytes said:

I guess I should have clarified on what I wanted to say: Nothing is full proof, the point is to discourage a lot, and make it very difficult to make money.  The criminal making it, isn't interested in a few hundred bucks, it wants potentially millions. If not, it is not worth all the work.

Not all attacks are about money.

Petya is not ransomware (at least not the current iteration which is what we are talking about). It was a targeted attack against Ukrainian infrastructure and services, meant to destroy data.

 

4 hours ago, GoodBytes said:

The point is that, programs can't execute system level stuff without permission.

A lot of times they can. Privilege escalation exploits are not exactly uncommon on Windows.

The old version of Petya would ask for admin privileges and if the user declined it, it would switch to running a payload called Mischa, which did not require admin privileges (which skipped encrypting the MFT but instead attacked files one by one).

 

5 hours ago, GoodBytes said:

Windows 10 does have a lock down to Store only apps feature, if you are concern about this though. You get to install any software you want, then you lock yourself, and now from that point on, any programs not already installed are blocked from running, beside if it comes from the store.

I have a question about that. Does it also block the non-store programs from being updated? If that's the case then it's not really a solution.

Link to post
Share on other sites
8 hours ago, hey_yo_ said:

I don't want to dismiss what Microsoft is doing but it seems it will only protect my personal files from unwanted encryption but not the master boot record?

To be fair, your data is what really matters, and the only hope of Ransomware users to get any money. A broken MBR can be an inconvenience, but you can always overwrite it / nuke it/ make a new OS install, and recover your date from the drive.

Link to post
Share on other sites
27 minutes ago, LAwLz said:

I have a question about that. Does it also block the non-store programs from being updated? If that's the case then it's not really a solution.

If the program has an auto-updater, based on a quick test on my side, it seams to be working. However if you manually go to the website and get a new version of the app, and run the setup, you'll just get this:

Capture.PNG.d7e3b2a8824705aacb9a35bc0218a5dc.PNG

(And the option "Open Settings" gets you to the option in the Settings panel to disable this locked down feature).

Link to post
Share on other sites
Posted · Original PosterOP
38 minutes ago, SpaceGhostC2C said:

To be fair, your data is what really matters, and the only hope of Ransomware users to get any money. A broken MBR can be an inconvenience, but you can always overwrite it / nuke it/ make a new OS install, and recover your date from the drive.

That's good if the ransomware only encrypts the MBR but not the personal files but the problem is that there are variations of ransomware that does encrypt both. 


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
15 minutes ago, hey_yo_ said:

That's good if the ransomware only encrypts the MBR but not the personal files but the problem is that there are variations of ransomware that does encrypt both. 

Right, but assuming the feature works and not yet by-passed in some ways, then it should prevent affecting ones personal data.

Link to post
Share on other sites
Posted · Original PosterOP
16 minutes ago, GoodBytes said:

Right, but assuming the feature works and not yet by-passed in some ways, then it should prevent affecting ones personal data.

I'll believe it when I see it and third party tests corroborate that the new Windows Defender in the Fall Creators Update. I would love to not pay anymore for a good AV but for now, I'll stick to others with proven anti-ransomware capabilities. I don't think it's fool proof but it works well.


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
Posted · Original PosterOP
1 hour ago, GoodBytes said:

If the program has an auto-updater, based on a quick test on my side, it seams to be working. However if you manually go to the website and get a new version of the app, and run the setup, you'll just get this:

 

(And the option "Open Settings" gets you to the option in the Settings panel to disable this locked down feature).

It's kinda like Gatekeeper which was first introduced in Mac OS X Mountain Lion.

Gatekeeper.png.b3c8f4f3bbc1746f51f0ff5f98bcfe8e.png

 

Basically, the normal Windows 10 has some 10S like features:

59582bb24d771_settingsdevelopermode.PNG.c7434eb43cbe86c5c63834d1942ea2fa.PNG


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
15 hours ago, hey_yo_ said:

To reduce the maintenance overhead, certain applications will be whitelisted automatically. Microsoft doesn't exactly specify which applications, but we imagine that apps from the Store would automatically be allowed access, for example.

And in the latest news, ransomware was found in an app on the Microsoft Store.

Link to post
Share on other sites
16 hours ago, DXMember said:

oh look.. whitelisting

 

16 hours ago, djdwosk97 said:

Racist

 

16 hours ago, DXMember said:

well, I'm sorry but blacklisting clearly doesn't work

I blame the schools. 

The colleges with security majors. 


muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to post
Share on other sites
Posted · Original PosterOP

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

595884ba5638e_Screenshot(184).png.e2c4bb232ea208f150a9e8a9e2b8577a.png

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

Spoiler

595884ca60a9c_Screenshot(185).png.6a31a4727ea02617fb9e216b61ec964a.png595884d1dbf20_Screenshot(186).png.e7bcabd4840c5a6084baae0cf7eaa036.png

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
26 minutes ago, hey_yo_ said:

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.

If you enable "Stop apps only" you can't launch UWP apps that haven't come from Windows Store does nothing for Win32 apps


CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to post
Share on other sites

so how does this exactly protect my files? Do i have to allow programs i install to be allowed to write to the folders? 

 

 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×