Windows 10 (Build 16232) will try to combat ransomware by locking up your data

[GoodBytes]

9 minutes ago, LAwLz said:

I don't think SecureBoot does what you think it does, or don't know what Petya does.

SecureBoot does not prevent Petya.

Quote

Correct me if I'm wrong with this but from what I understand with secure boot, it will only block execution of malware upon boot like preventing a malware infested flash drive from interfering with the boot process. But from what I understand, most ransomware attacks are executed when the OS is already loaded and the user is logged in. Petya, from what I knew at the moment will encrypt not the user's files but the master boot record when the user is already logged in. So yeah, secure boot only protects against rootkits but not ransomware.

UEFI means that it uses GPT not MBR, and SecureBoot prevents boot replacement. So you protect yourself from both entry way against Petya.

The majority of system infected by Petya were Windows 7 pre-SP1. System of the time were on BIOS.

 

Nothing is full proof, but it makes it harder and harder and harder to make ransomware. Right now, anyone with basic C# .NET skills can make one. So like a 8 year old kid can do it. Won't be good, but they can do it. The idea is to make it very hard to not encourage this, and just not make it worth it. Like viruses, and malware, ransomware aren't going away. But we have much less viruses, and malware than before.

[Tech_Dreamer]

Microsoft >>

 

[Metal_Kitty]

 

6 minutes ago, GoodBytes said:

You need to pass through UAC first. No one is real admin under Windows.

 

Aye but thats just part of the issue - I know far to many people that just click ok or accept at this part of UAC not bothering to read what it actually is! 

 

[captain_to_fire]

4 minutes ago, GoodBytes said:

 

UEFI means that it uses GPT not MBR, and SecureBoot prevents boot replacement.

I looked up this article on the differences between MBR and GPT but I think it's more about partitioning and recovery from data corruption rather than security aside from the Secure boot in UEFI. If the actual OS files are encrypted, I don't think it will matter if a PC boots using MBR or GPT.

 

[LAwLz]

By the way, it seems like this new feature won't really help.

I've seen several security people say that it can easily be bypassed with for example a very simple code injection to explorer.

 

1 hour ago, GoodBytes said:

UEFI means that it uses GPT not MBR

Petya destroys the GPT data too.

What happens is that Petya actually assumes that you are using MBR, so it encrypts the MBR part and then continues to write its own code over the GPT header (because it assumes those sections are unused like they would if you use MBR). It also goes on to destroy the VBR for each partition.

 

1 hour ago, GoodBytes said:

SecureBoot prevents boot replacement.

No it doesn't. Secure Boot prevents unsigned/untrusted code from executing during boot.

It prevents it from starting, but does not prevent it from being written in the first place. So it would block the ransome note from being displayed (since that would not pass the signature checks), but it would not block the file system info from being corrupted.

[GoodBytes]

It can break GPT, but not replace it to boot itself to encrypt your data (if done outside of the OS) or ask for money outside of the OS. It big ditter.

[Fetzie]

9 minutes ago, GoodBytes said:

It can break GPT, but not replace it to boot itself to encrypt your data (if done outside of the OS) or ask for money outside of the OS. It big ditter.

You can bypass the boot record and rewrite it via live cd or a recovery disk, but if the partition table (i.e. the "map" of where everything is) gets overwritten, it doesn't matter if your data gets encrypted or not. You're still not going to find your again (especailly if it is fragmented across the drive) unless you can restore it.

 

Say you had a dd image of /dev/sda (not sda1), then you could restore the drive to its uncorrupted state because you also imaged the partition table and boot record.

[GoodBytes]

Hmm.. true, well partially.

Data can be recovered, requires a lot of effort, bit they are tools that exists that a professional tech IT guy (basically, not Geek Squad), can recover most data. And of course you have actual companies that do data recovery. But, ransomware, which is the topic here, still doesn't have money out of it. 

 

I mean, unless you are in a super closed ecosystem, nothing will help you with black-mail-wares, where a software looks for source code files, documents, and so on, and uploads it a server and ask money. How many companies actually encrypt their data. And even then, they can monitor or inject in a software and access loaded documents... running for a few months without knowledge can make someone get quite a bit of data.

 

I guess I should have clarified on what I wanted to say: Nothing is full proof, the point is to discourage a lot, and make it very difficult to make money.  The criminal making it, isn't interested in a few hundred bucks, it wants potentially millions. If not, it is not worth all the work.

[GoodBytes]

1 hour ago, Metal_Kitty said:

 

Aye but thats just part of the issue - I know far to many people that just click ok or accept at this part of UAC not bothering to read what it actually is! 

 

Absolutely, even if it asks a password, people will put it (Can't wait for fake programs making look like it is the OS asking for a password, but just steal your password). There is just so much one can do to stop stupidity. That is why education is the way forward. UAC is your last line of defense. The point is that, programs can't execute system level stuff without permission.

 

Windows 10 does have a lock down to Store only apps feature, if you are concern about this though. You get to install any software you want, then you lock yourself, and now from that point on, any programs not already installed are blocked from running, beside if it comes from the store.

[TimeOmnivore]

Just to confirm, this will be something that you can disable, right?

[GoodBytes]

4 minutes ago, TimeOmnivore said:

Just to confirm, this will be something that you can disable, right?

Nope. Unless you install another A/V.

 

[TimeOmnivore]

Just now, GoodBytes said:

Nope. Unless you install another A/V.

 

I'm currently using AVG and have Windows Defender turned off, so will this update still apply to me?

[GoodBytes]

13 minutes ago, TimeOmnivore said:

I'm currently using AVG and have Windows Defender turned off, so will this update still apply to me?

You will still get the update coming this October, but it will be disabled, unless something changes from now and the release of the Fall Creators Update, which it can as it is still in dev.

[LAwLz]

4 hours ago, GoodBytes said:

Data can be recovered, requires a lot of effort, bit they are tools that exists that a professional tech IT guy (basically, not Geek Squad), can recover most data. And of course you have actual companies that do data recovery. But, ransomware, which is the topic here, still doesn't have money out of it. 

That depends on a lot of things. If your data is for example fragmented, or critical parts have been overwritten then you're probably out of luck, even with a professional data recovery method.

Petya also starts encrypting files before the reboot, so those files will probably be lost forever (the files are overwritten).

 

4 hours ago, GoodBytes said:

I guess I should have clarified on what I wanted to say: Nothing is full proof, the point is to discourage a lot, and make it very difficult to make money.  The criminal making it, isn't interested in a few hundred bucks, it wants potentially millions. If not, it is not worth all the work.

Not all attacks are about money.

Petya is not ransomware (at least not the current iteration which is what we are talking about). It was a targeted attack against Ukrainian infrastructure and services, meant to destroy data.

 

4 hours ago, GoodBytes said:

The point is that, programs can't execute system level stuff without permission.

A lot of times they can. Privilege escalation exploits are not exactly uncommon on Windows.

The old version of Petya would ask for admin privileges and if the user declined it, it would switch to running a payload called Mischa, which did not require admin privileges (which skipped encrypting the MFT but instead attacked files one by one).

 

5 hours ago, GoodBytes said:

Windows 10 does have a lock down to Store only apps feature, if you are concern about this though. You get to install any software you want, then you lock yourself, and now from that point on, any programs not already installed are blocked from running, beside if it comes from the store.

I have a question about that. Does it also block the non-store programs from being updated? If that's the case then it's not really a solution.

[SpaceGhostC2C]

8 hours ago, hey_yo_ said:

I don't want to dismiss what Microsoft is doing but it seems it will only protect my personal files from unwanted encryption but not the master boot record?

To be fair, your data is what really matters, and the only hope of Ransomware users to get any money. A broken MBR can be an inconvenience, but you can always overwrite it / nuke it/ make a new OS install, and recover your date from the drive.

[GoodBytes]

27 minutes ago, LAwLz said:

I have a question about that. Does it also block the non-store programs from being updated? If that's the case then it's not really a solution.

If the program has an auto-updater, based on a quick test on my side, it seams to be working. However if you manually go to the website and get a new version of the app, and run the setup, you'll just get this:

(And the option "Open Settings" gets you to the option in the Settings panel to disable this locked down feature).

[captain_to_fire]

38 minutes ago, SpaceGhostC2C said:

To be fair, your data is what really matters, and the only hope of Ransomware users to get any money. A broken MBR can be an inconvenience, but you can always overwrite it / nuke it/ make a new OS install, and recover your date from the drive.

That's good if the ransomware only encrypts the MBR but not the personal files but the problem is that there are variations of ransomware that does encrypt both. 

[GoodBytes]

15 minutes ago, hey_yo_ said:

That's good if the ransomware only encrypts the MBR but not the personal files but the problem is that there are variations of ransomware that does encrypt both. 

Right, but assuming the feature works and not yet by-passed in some ways, then it should prevent affecting ones personal data.

[captain_to_fire]

16 minutes ago, GoodBytes said:

Right, but assuming the feature works and not yet by-passed in some ways, then it should prevent affecting ones personal data.

I'll believe it when I see it and third party tests corroborate that the new Windows Defender in the Fall Creators Update. I would love to not pay anymore for a good AV but for now, I'll stick to others with proven anti-ransomware capabilities. I don't think it's fool proof but it works well.

[captain_to_fire]

1 hour ago, GoodBytes said:

If the program has an auto-updater, based on a quick test on my side, it seams to be working. However if you manually go to the website and get a new version of the app, and run the setup, you'll just get this:

 

(And the option "Open Settings" gets you to the option in the Settings panel to disable this locked down feature).

It's kinda like Gatekeeper which was first introduced in Mac OS X Mountain Lion.

 

Basically, the normal Windows 10 has some 10S like features:

[Jito463]

15 hours ago, hey_yo_ said:

To reduce the maintenance overhead, certain applications will be whitelisted automatically. Microsoft doesn't exactly specify which applications, but we imagine that apps from the Store would automatically be allowed access, for example.

And in the latest news, ransomware was found in an app on the Microsoft Store.

[Syntaxvgm]

16 hours ago, DXMember said:

oh look.. whitelisting

 

16 hours ago, djdwosk97 said:

Racist

 

16 hours ago, DXMember said:

well, I'm sorry but blacklisting clearly doesn't work

I blame the schools. 

The colleges with security majors. 

[captain_to_fire]

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

Spoiler

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.

[DXMember]

26 minutes ago, hey_yo_ said:

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.

If you enable "Stop apps only" you can't launch UWP apps that haven't come from Windows Store does nothing for Win32 apps

[vorticalbox]

so how does this exactly protect my files? Do i have to allow programs i install to be allowed to write to the folders?