From 6c2c743438e594ae16a330447e065e3a41ad08f5 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:04:52 -0700 Subject: [PATCH 1/3] Removal of ransomware-malware article --- .openpublishing.redirection.json | 5 ++ windows/security/threat-protection/TOC.yml | 2 +- .../threat-protection/intelligence/TOC.yml | 2 +- .../intelligence/criteria.md | 2 +- .../intelligence/phishing-trends.md | 2 +- .../intelligence/ransomware-malware.md | 77 ------------------- .../intelligence/understanding-malware.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 1 - 8 files changed, 10 insertions(+), 83 deletions(-) delete mode 100644 windows/security/threat-protection/intelligence/ransomware-malware.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8dbea776cc..25d94e8125 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18920,6 +18920,11 @@ "redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/intelligence/ransomware-malware.md", + "redirect_url": "/security/compass/human-operated-ransomware", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md", "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows", diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml index e310d0d993..60b48e0739 100644 --- a/windows/security/threat-protection/TOC.yml +++ b/windows/security/threat-protection/TOC.yml @@ -193,7 +193,7 @@ - name: Phishing href: intelligence/phishing.md - name: Ransomware - href: intelligence/ransomware-malware.md + href: /security/compass/human-operated-ransomware - name: Rootkits href: intelligence/rootkits-malware.md - name: Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml index eb239b51c5..78fea4eba3 100644 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ b/windows/security/threat-protection/intelligence/TOC.yml @@ -18,7 +18,7 @@ - name: Phishing trends and techniques href: phishing-trends.md - name: Ransomware - href: ransomware-malware.md + href: /security/compass/human-operated-ransomware - name: Rootkits href: rootkits-malware.md - name: Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 8f05e1c296..381dc66ce4 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -62,7 +62,7 @@ Microsoft classifies most malicious software into one of the following categorie * **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. -* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). +* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware). * **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md index 9645672acd..1785d95a38 100644 --- a/windows/security/threat-protection/intelligence/phishing-trends.md +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -41,7 +41,7 @@ An attacker sends a fraudulent email requesting you to open or download a docume ## Phishing emails that deliver other threats -Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. +Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md deleted file mode 100644 index 5a04348f87..0000000000 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Ransomware -ms.reviewer: -description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. -keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora -ms.prod: m365-security -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 -ms.technology: mde ---- -# Ransomware - -Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted. - -The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks. - -## How ransomware works - -Most ransomware infections start with: - -- Email messages with attachments that try to install ransomware. - -- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. - -Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. - -Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses. - -### Examples - -Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits. - -- Spora drops ransomware copies in network shares. - -- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. - -- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. - -Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. - -Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. - -**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks. - -## How to protect against ransomware - -Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms. - -To provide the best protection against ransomware attacks, Microsoft recommends that you: - -- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. - -- Apply the latest updates to your operating systems and apps. - -- Educate your employees so they can identify social engineering and spear-phishing attacks. - -- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. - -For more general tips, see [prevent malware infection](prevent-malware-infection.md). - -## Human-operated ransomware - -Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. - -Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. - -The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). - -See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 63477837e9..f98d44ceb7 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -32,7 +32,7 @@ There are many types of malware, including: - [Exploits and exploit kits](exploits-malware.md) - [Macro malware](macro-malware.md) - [Phishing](phishing.md) -- [Ransomware](ransomware-malware.md) +- [Ransomware](/security/compass/human-operated-ransomware) - [Rootkits](rootkits-malware.md) - [Supply chain attacks](supply-chain-malware.md) - [Tech support scams](support-scams.md) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index cd82d2c618..b9b73c1bcb 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -141,7 +141,6 @@ This also means you’ll see more links to other security apps within **Windows You can read more about ransomware mitigations and detection capability at: - [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Ransomware security intelligence](/windows/security/threat-protection/intelligence/ransomware-malware) - [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) From 86c3b2f3618f0fc57c970fbef3ea98156e732255 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:06:14 -0700 Subject: [PATCH 2/3] Update whats-new-windows-10-version-1703.md --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 2c639ff2a3..b05bba2289 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -150,7 +150,7 @@ New features for Microsoft Defender AV in Windows 10, version 1703 include: In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). -You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [ransomware information topic](/windows/security/threat-protection/intelligence/ransomware-malware) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). +You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). ### Device Guard and Credential Guard From f5fb120b36094e6a5ee3bcf57a2da0890a15cc62 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 28 Jun 2021 16:10:22 -0700 Subject: [PATCH 3/3] Update whats-new-windows-10-2019.md --- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index b9b73c1bcb..2b62e7fc98 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. ## Security