Updates

2025-06-18 11:53:37 +00:00 · 2018-07-30 16:00:05 -07:00
parent 22292161b2
commit 5afa442e2a
5 changed files with 98 additions and 149 deletions
--- a/windows/security/intelligence/phishing.md
+++ b/windows/security/intelligence/phishing.md
@ -13,7 +13,7 @@ ms.date: 07/18/2018
 # Phishing
-Phishing attacks attempt to steal sensitive information from internet users through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.
+Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.
 The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.  
@ -21,7 +21,7 @@ The information that phishers (as the cybercriminals behind phishing attacks are
 Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information.
-Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics legitimate sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
+Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
 Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you.
@ -49,9 +49,9 @@ Phishing emails can be very effective, and so attackers can using them to distri
 We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
-### Targeted attacks against enterprises
+## Targeted attacks against enterprises
-#### Spear phishing
+### Spear phishing
 Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target.
@ -59,11 +59,11 @@ Spear phishing may involve tricking you into logging into fake sites and divulgi
 The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
-#### Whaling
+### Whaling
 Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.  
-#### Business email compromise
+### Business email compromise
 Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers.
@ -73,25 +73,36 @@ Social engineering attacks are designed to take advantage of a user's possible l
 ### Awareness
-The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from someone you know. If you are not expecting the email, be wary about opening the attachment and verify the URL.
+The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
-Enterprises should educate and train their employees to be wary of any emails, phone calls, or the like, that request personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.
+Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.
 Here are several telltale signs of a phishing scam:
-* If links or URLs provided in emails are not pointing to the correct location or are attempting to have you access a third-party site that is not affiliated with the sender of the email, you should use caution. For example, in the image below you see that the URL provided does not match the URL that you will be taken to if you click the link.  This is a red flag and you should be wary of attempting to access this website.
+* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
    ![example of how exploit kits work](./images/URLhover.png)
-* Emails that request personal information such as social security numbers or bank or financial information are always a good sign that you should do further investigation. Never release any personal, private, or confidential information unless you are positive the email is from a valid source. Even official communications won't generally request personal information from you in the form of an email.
+* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
-* Oftentimes the scammer will change letters, add numbers, or otherwise change items in the email address so that it is similar enough to a legitimate email address.
+* **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters.
-* Phishing websites are designed to look like legitimate sites that you are familiar with and use on a regular basis, but may use outdated logos, have typos, or ask you to give additional information that are not asked by legitimate sign-in websites.
+* The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
-* Sometimes you will notice that the page that opens is not a live page but rather an image that is designed to look like the site you are familiar with. Be careful if, upon opening a new website, a pop-up appears that requests you to enter your credentials.
+* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this.
-If you are unsure if the email is a phishing scam, you should contact the business associated with it by phone or email to notify them of the email you received.
+* The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
 * The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john<span></span>@example.com.
 * There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
 * The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
 * The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
 * The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
 If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
 For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
@ -107,15 +118,19 @@ For more information, download and read this Microsoft [e-book on preventing soc
 * [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) uses virtualization-based security to isolate secrets so that only privileged system software can access them. They are protected using virtualization-based security which blocks credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
 ## What do I do if I've already been a victim of a phishing scam?
-If you feel that you have been a victim of a phishing attack, contact your local law enforcement immediately. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.
+If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.
-You can report phishing emails to phish@office365.microsoft.com. For more information see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/en-us/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+### Reporting spam
-Download the [Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook](https://www.microsoft.com/download/details.aspx?id=18275).
+Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/en-us/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
-The Anti-Phishing Working Group – which includes and involves ISPs, security vendors, financial institutions and law enforcement agencies – uses reports generated from emails sent to reportphishing@apwg.org to fight phishing scams and hackers.
+For Outlook and Outlook on the web users, use the Report Message Add-in for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676).
 Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved.
 ## Where to find more information about phishing attacks
--- a/windows/security/intelligence/prevent-malware-infection.md
+++ b/windows/security/intelligence/prevent-malware-infection.md
@ -14,112 +14,23 @@ ms.date: 07/12/2018
 Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
 * Enable Windows security features
 * Keep software up-to-date
 * Watch out for threats on email or instant messaging
 * Browse the web safely
 * Stay away from pirated material
 * Don't attach unfamiliar removable drives
 * Use a non-administrator account
 ## Security solutions
 [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security?ocid=cx-wdsi-articles) provides comprehensive protection through real-time detection and removal of malware using next-gen antimalware technologies. It uses the cloud, machine learning, and behavior analysis to rapidly respond to emerging threats.
 For effective antimalware protection, enable Windows Defender Antivirus and keep it up-to-date with [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq). To enable next-gen protection:
 1. Search for **Windows Defender Security Center** to open the app.
 2. Go to **Virus & threat protection**.
 3. Make sure the switches for **Cloud-delivered protection** and **Automatic sample submission** are set to **On**.
 Windows Defender Antivirus is built into Windows 10 and Windows 8.1. If your computer is running Windows 7 or earlier, you can download and use [Microsoft Security Essentials (MSE)](https://support.microsoft.com/help/14210/security-essentials-download).
 For increased protection, Windows Defender Firewall blocks unwanted inbound network connections. It can also control which applications on your computer can initiate outbound connections and can warn of malware suddenly trying to establish a remote connection.
 Read the articles below to learn how turn on Windows Defender Firewall:
 * [Turn on the Windows Firewall in Windows 10](https://support.microsoft.com/help/4028544/windows-turn-windows-firewall-on-or-off)
 * [Turn on the Windows Firewall in Windows 8.1 or Windows](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses)
 With Windows 10, you also benefit from [Windows Defender Exploit Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/), which protects files in key folders with Controlled folder access. Enterprise users are also provided with [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-how-it-works), [Windows Defender System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/), broad or strategic exploit protection, reduction of attack surfaces with behavior detection rules, and reputation-based filtering of network connections.
 ### Additional protection for enterprises
 In enterprise settings, phishing emails and other forms of phishing attacks may be the entry point for a larger cyberattack or espionage. The following technologies can help protect you from malware and other attacks that may arise from phishing:
 * Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. Windows Defender Exploit Guard utilizes the capabilities of the Microsoft Intelligent Security Graph (ISG) to protect organizations from advanced threats, including zero-day exploits. The four components of Windows Defender Exploit Guard are:
  * Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  * Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  * Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  * Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications
 * Windows Defender Advanced Threat Protection (ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. Windows Defender ATP  uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
  * Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
  * Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem.
  * Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
 ## Keep software up-to-date
 [Exploits](exploits-malware.md) typically abuse vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office. To protect your PC from exploits, always keep software up-to-date.
 To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, by upgrading to the latest version of Windows, you automatically benefit from a host of built-in security enhancements.
-## Watch out for threats on email or instant messaging
+## Watch out for threats in links, attachments, and websites
 Email and other messaging tools are a few of the most common ways your PC can get infected. Attachments or links on messages can open malware directly or can stealthily trigger a download. Some emails will instruct you to allow macros or other executable content—these instructions are designed to make it easier for malware to infect your computer.
 To avoid threats that arrive via email or other messaging tools:
 * Learn to identify suspicious messages. Never open attachments or links in suspicious looking messages.
 * Exercise caution when dealing with messages received from unknown sources or received unexpectedly from known sources.
 * Use extreme caution when accepting file transfers.
 * Social engineering attacks often use email as a way of gaining access to your personal information. Emails that request personal information or require you to access third-party sites might be part of social engineering attacks. Always use caution when providing personal or credential information.
 * If you receive a notification from your bank or credit card company requiring immediate action, contact your bank or credit card company using contact information on their official website. Do not use links, email addresses, or phone numbers in the suspicious email.
 * Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering, helping protect you from malware, phishing, and other email threats.
-### What are suspicious messages?
+For more information, see [Phishing](phishing.md)
-Here are some characteristics that you can use to spot potentially harmful messages:
+### Malicious or compromised websites
 * The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
 * The message or the attachment asks you to enable macros, adjust security settings, or install applications. Normal emails will not ask you to do this.
 * The message contains errors. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
 * The sender address does not match the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john<span></span>@example.com.
 * There are multiple recipients in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
 * The greeting on the message itself does not personally address you. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
 * URLs behind links do not match the link text. Try hovering over links to check if they point to a sensible URL. In some cases, malicious URLs are completely off and even point to completely unrelated domains.
 ## Browse the web safely
 The web is filled with useful and helpful content that we use every day. While there are billions of helpful pages, the web also contains sites that have been intentionally set up for malicious purpose. Some legitimate sites also get compromised—they are modified by attackers to deliver malware and other malicious content.
 By visiting malicious or compromised sites, your PC can get infected with malware automatically or you can get tricked into downloading and installing malware. To avoid malware that are distributed through these websites:
 * Do not click links in suspicious messages you received in email or other messaging services. See the tips above about identifying suspicious messages.
 * Learn to spot spoofed or fake websites.
 * Avoid sites that are likely to contain malware.
 ### How do I spot suspicious websites?
 By visiting malicious or compromised sites, your PC can get infected with malware automatically or you can get tricked into downloading and installing malware. 
 Check for the following characteristics to identify potentially harmful websites:
 * Check the URL in the address bar. The initial part or the domain should represent the company that owns the site you are visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If example<span></span>.com is spelled examp1e<span></span>.com, the site you are visiting is suspect.
@ -173,6 +84,35 @@ To further ensure that your data is protected from malware as well as other thre
 * Monitor and safeguard your [family’s online computing experience](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender).
 ## Software solutions
 Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
 * [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up-to-date to get the latest protections.
 * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
 * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
 * [Office 365 Advanced Threat Protection](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
 * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
 * [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free of charge. The following are all a part of Windows Defender ATP:
    * [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is built into Windows 10 and, when enabled, provides real-time cloud-powered protection against threats.
    * [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) helps  protect your employees from untrusted sites by opening the site in an isolated Hyper-V-enabled container, separate from the host operating system.
    * [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    * [Windows Defender Exploit Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/) protects files in key folders with controlled folder access.
    * [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security) blocks unwanted inbound network connections. It can also control which applications on your computer can initiate outbound connections and can warn of malware suddenly trying to establish a remote connection.
    * [Windows Defender System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) protects and maintains the integrity of the system as it starts up and after it’s running. It also validates that system integrity has truly been maintained through local and remote attestation.
 ## What to do if you have a malware infection
 Windows Defender Antivirus helps reduce the chances of infection and will automatically remove threats that it detects.
--- a/windows/security/intelligence/ransomware-malware.md
+++ b/windows/security/intelligence/ransomware-malware.md
@ -12,7 +12,7 @@ ms.date: 07/01/2018
 ---
 # Ransomware
-Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock your files.  
+Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted.  
 The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks.
@ -22,23 +22,28 @@ Most ransomware infections start with:
 - Email messages with attachments that try to install ransomware.
- Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install ransomware.
+- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
 More recent ransomware have [worm-like](worms-malware.md) capabilities that enable them to spread to other computers in the network. For example, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
 Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
 Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses.
 ### Examples
-Ransomware like Cerber and Locky search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom  to recover files.
+Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
-More sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also known as NotPetya) include other capabilities, such as spreading to other computers via network shares or exploits.
+* Spora drops ransomware copies in network shares.
-Bad Rabbit ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
+* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. 
-Older ransomware like Reveton locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
+* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
 Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
 Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom  to recover files.
 **Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
 Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-Service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses.
 ## How to protect against ransomware
@ -52,20 +57,4 @@ We recommend:
 - Educate your employees so they can identify social engineering and spear-phishing attacks.
-Microsoft provides comprehensive security capabilities that help protect against threats such as ransomware. We recommend:
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
 - [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
 - [Office 365 Advanced Threat Protection](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
 - [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
 - [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free of charge.
 - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is built into Windows 10 and, when enabled, provides real-time cloud-powered protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protections.
 - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
 - [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) helps  protect your employees from untrusted sites by opening the site in an isolated Hyper-V-enabled container, separate from the host operating system.
 - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
--- a/windows/security/intelligence/rootkits-malware.md
+++ b/windows/security/intelligence/rootkits-malware.md
@ -22,32 +22,35 @@ For example, if you were to ask your PC to list all of the programs that are run
 Many modern malware families use rootkits to try and avoid detection and removal, including:
- [Alureon](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
+* [Alureon](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
- [Sirefef](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
+* [Sirefef](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
- [Rustock](http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
+* [Rustock](http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
- [Sinowal](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
+* [Sinowal](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
- [Cutwail](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
+* [Cutwail](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
 ## How to protect against rootkits
 Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
- Update your software.
+* Apply the latest updates to operating systems and apps.
- Use security software to protect your device. Windows Defender Antivirus is included with Windows 10 and provides real-time detection and removal of malware.
+* Educate your employees so they can be wary of suspicious websites and emails.
- Be wary of suspicious websites and emails.
+* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
 ### What if I think I have a rootkit on my PC?
 Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your PC, and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
 In this case, use [Windows Defender Offline](http://windows.microsoft.com/windows/what-is-windows-defender-offline).
 Windows Defender Offline is a standalone tool that has the latest anti-malware updates from Microsoft. It’s designed to be used on PCs that aren't working correctly due to a possible malware infection.
 ### What if I can’t remove a rootkit?
-If the problem persists, we strongly recommend that you reinstall your operating system and your security software. You should then restore your data from backup.
+If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup.
--- a/windows/security/intelligence/supply-chain-malware.md
+++ b/windows/security/intelligence/supply-chain-malware.md
@ -23,7 +23,7 @@ Because software is built and released by trusted vendors, these apps and update
 The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.
-## Types of Supply Chain Attacks
+### Types of Supply Chain Attacks
 * Compromised software building tools or updated infrastructure
@ -48,4 +48,6 @@ The number of potential victims is significant, given the popularity of some app
 * Build secure software update processes as part of the software development lifecycle.
-* Develop an incident response process for supply chain attacks.
+* Develop an incident response process for supply chain attacks.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).