{"id":21636,"date":"2023-04-03T08:30:04","date_gmt":"2023-04-03T16:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/03\/news-15367\/"},"modified":"2023-04-03T08:30:04","modified_gmt":"2023-04-03T16:30:04","slug":"news-15367","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/03\/news-15367\/","title":{"rendered":"Ransomware as a service? Windows users can still fight back."},"content":{"rendered":"

<\/p>\n

Ransomware<\/em>.<\/p>\n

It\u2019s one word that can strike a chill in anyone from a corporate C-suite to a home user. It\u2019s sometimes hard to get a feel for the overall ransomware industry (and yes, it\u2019s now an industry). But based on anecdotal reviews of forums and social media, it appears as though attacks against individuals are slowing. I no longer see people report they\u2019ve been hit by ransomware on their PCs.<\/p>\n

But it may be that attackers have realized that going after \u201cone-off\u201d targets isn\u2019t the best business plan. In fact, in a recent Microsoft Secure online seminar<\/a> (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others.<\/p>\n

When attackers go after big-name targets, they often create bad press for the ransomware industry. So, they\u2019re now coordinating efforts to avoid headlines likely to prompt vendors and providers to tighten security, end users to patch, and corporations to deploy better security solutions.<\/p>\n

Beyond that, attackers are also targeting search results for the information tools IT teams need to do their job. A search result could, for example, point admins to a malicious tool that tricks them into installing a potential back door. That access is then sold on the black market. (Ransomware actors know the easiest way into a network is to trick the \u201cunpatched human.\u201d) While companies may be doing a better job of patching operating systems and Office suites, they still rely too much on end users to be smart. If users are not slightly paranoid \u2014 meaning they stop and think before clicking on links and phishing schemes \u2014 networks remain vulnerable.<\/p>\n

Ransomware can also enter systems due to security misconfigurations or overlooked vulnerabilities. Payne pointed to the additional information in a 2022\u00a0Ransomware as a Service<\/a> blog post. Attack Surface Reduction (ASR) rules remain one set of tools many firms do not take advantage of. ASR rules can be enabled on Windows 10 and 11 Professional versions to boost Windows\u2019 ability to block attackers.<\/p>\n

Even if you\u2019re not a Microsoft 365 Defender customer, you can deploy ASR rules; the specific rules that target ransomware processes:<\/p>\n

ASR rules, which usually don\u2019t cause any side effects<\/a> to normal PC processing, can be set to \u201caudit\u201d systems rather than impose restrictions. That\u2019s one way to test the impact on a network.<\/p>\n

In addition, Microsoft has made changes to Office to slow the deployment of ransomware. One recent change involves VBA macros. As\u00a0noted by Microsoft<\/a>, \u201cVBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, Microsoft is changing the default behavior of Office applications to block macros in files from the internet. With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, there will be a red notice shown at the top of the opened file.\u201d<\/p>\n

Users should identify the files you need for work and ensure that they no longer deemed suspect and are flagged to be in a trusted location. (You can review guidance\u00a0here<\/a> to ensure that you don\u2019t block files you need.) As noted in the presentation, \u201cQakBot and Emotet have both relied heavily on malicious macros for initial access. But after Microsoft disabled macros globally, they have shifted to other techniques, such as using direct links to payloads and phishing emails or attaching OneNote attachments to those phishing emails.\u201d<\/p>\n

And coming this month<\/a> to OneNote on Windows are additional protections for users who open or download an embedded file in OneNote. Users will get a notification of files considered dangerous, a change designed to improve the file protection experience in OneNote. Clearly, Microsoft is trying to stay one step ahead of attackers.<\/p>\n

Some ransomware operators are now pivoting to extortion. By merely proving to a company that they can<\/em> destroy data \u2014 either on premises or in the cloud \u2014without actually doing so, attackers can get a payoff without actually inflicting harm. Microsoft has a follow-up event April 11-13 <\/a>\u00a0to augment topics covered at Microsoft Secure. For additional resources and information, the SANS organization is also offering a free day-long Ransomware Summit<\/a> June 23 to discuss initial access vectors and defensive techniques.<\/p>\n

While the ransomware situation may be improving for home users, the same isn\u2019t necessarily true for business. Now\u2019s the time to review these resources and make it harder for attackers to turn your company into a revenue stream for them.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

Ransomware<\/em>.<\/p>\n

It\u2019s one word that can strike a chill in anyone from a corporate C-suite to a home user. It\u2019s sometimes hard to get a feel for the overall ransomware industry (and yes, it\u2019s now an industry). But based on anecdotal reviews of forums and social media, it appears as though attacks against individuals are slowing. I no longer see people report they\u2019ve been hit by ransomware on their PCs.<\/p>\n

But it may be that attackers have realized that going after \u201cone-off\u201d targets isn\u2019t the best business plan. In fact, in a recent Microsoft Secure online seminar<\/a> (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,24580,10525,10761,24583],"class_list":["post-21636","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-small-and-medium-business","tag-windows","tag-windows-10","tag-windows-11"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21636"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21636\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21636"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}