With Attack Surface Reduction rules in Windows 10 and 11 (and other tweaks), users can make it harder for attackers to succeed. Credit: Huawei Ransomware. It’s one word that can strike a chill in anyone from a corporate C-suite to a home user. It’s sometimes hard to get a feel for the overall ransomware industry (and yes, it’s now an industry). But based on anecdotal reviews of forums and social media, it appears as though attacks against individuals are slowing. I no longer see people report they’ve been hit by ransomware on their PCs. But it may be that attackers have realized that going after “one-off” targets isn’t the best business plan. In fact, in a recent Microsoft Secure online seminar (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others. When attackers go after big-name targets, they often create bad press for the ransomware industry. So, they’re now coordinating efforts to avoid headlines likely to prompt vendors and providers to tighten security, end users to patch, and corporations to deploy better security solutions. Beyond that, attackers are also targeting search results for the information tools IT teams need to do their job. A search result could, for example, point admins to a malicious tool that tricks them into installing a potential back door. That access is then sold on the black market. (Ransomware actors know the easiest way into a network is to trick the “unpatched human.”) While companies may be doing a better job of patching operating systems and Office suites, they still rely too much on end users to be smart. If users are not slightly paranoid — meaning they stop and think before clicking on links and phishing schemes — networks remain vulnerable. Ransomware can also enter systems due to security misconfigurations or overlooked vulnerabilities. Payne pointed to the additional information in a 2022 Ransomware as a Service blog post. Attack Surface Reduction (ASR) rules remain one set of tools many firms do not take advantage of. ASR rules can be enabled on Windows 10 and 11 Professional versions to boost Windows’ ability to block attackers. Even if you’re not a Microsoft 365 Defender customer, you can deploy ASR rules; the specific rules that target ransomware processes: Block executable files from running unless they meet a prevalence, age, or trusted list criterion. Block credential stealing from the Windows local security authority subsystem (lsass.exe). Block process creations originating from PsExec and WMI commands. And use advanced protection against ransomware. ASR rules, which usually don’t cause any side effects to normal PC processing, can be set to “audit” systems rather than impose restrictions. That’s one way to test the impact on a network. In addition, Microsoft has made changes to Office to slow the deployment of ransomware. One recent change involves VBA macros. As noted by Microsoft, “VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, Microsoft is changing the default behavior of Office applications to block macros in files from the internet. With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, there will be a red notice shown at the top of the opened file.” Users should identify the files you need for work and ensure that they no longer deemed suspect and are flagged to be in a trusted location. (You can review guidance here to ensure that you don’t block files you need.) As noted in the presentation, “QakBot and Emotet have both relied heavily on malicious macros for initial access. But after Microsoft disabled macros globally, they have shifted to other techniques, such as using direct links to payloads and phishing emails or attaching OneNote attachments to those phishing emails.” And coming this month to OneNote on Windows are additional protections for users who open or download an embedded file in OneNote. Users will get a notification of files considered dangerous, a change designed to improve the file protection experience in OneNote. Clearly, Microsoft is trying to stay one step ahead of attackers. Some ransomware operators are now pivoting to extortion. By merely proving to a company that they can destroy data — either on premises or in the cloud —without actually doing so, attackers can get a payoff without actually inflicting harm. Microsoft has a follow-up event April 11-13 to augment topics covered at Microsoft Secure. For additional resources and information, the SANS organization is also offering a free day-long Ransomware Summit June 23 to discuss initial access vectors and defensive techniques. While the ransomware situation may be improving for home users, the same isn’t necessarily true for business. Now’s the time to review these resources and make it harder for attackers to turn your company into a revenue stream for them. Related content opinion For tech users, change is good It’s increasingly important to avoid platform lock-in, whether you’re a dedicated Windows user, an Apple fan, or prefer Android —because with technology, change is a constant. By Susan Bradley Jul 17, 2023 5 mins Small and Medium Business Technology Industry Apple opinion Of cut cables and the sad state of tech support One of life’s lessons is that tech support never seems to improve, no matter whether it’s a phone company that cut your fiber cable or Microsoft rolling out, then reversing, changes in Windows 11. Something’s got to give. By Susan Bradley Jul 05, 2023 5 mins Technology Industry IT Management opinion With one June Patch Tuesday update, Microsoft falls short This month's updates for Windows include one fix that requires extra steps to deploy. But you’ll need to do some sleuthing to get the full story. By Susan Bradley Jun 20, 2023 5 mins Small and Medium Business Microsoft Windows opinion The good and bad about Windows 11 The latest version of Windows has seen a slow uptake since it arrived in 2021, but it’s not a bad operating system. By Susan Bradley Jun 12, 2023 5 mins Small and Medium Business Microsoft Windows 11 Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe