category

Windows 10 has built-in protection against malware

Microsoft Device Guard blocking Petya from activating

If you run Windows, then upgrade to Windows 10 if you haven’t done so already. Win 10 provides seriously good protection against malware, ransomware, and viruses. Earlier versions of Windows are not nearly as secure and never will be.

Microsoft has a hugely geeky, immensely detailed article about Petya. Most of the Petya damage was in Ukraine. Most of the infections were on Win 7 machines (that presumably hadn’t been patched.) Yes, Win 10 is sometimes a pain because it forces upgrades. This can also be a good thing, as Win 10 is immune to Petya and similar attacks precisely because of the automatic upgrades.

Petya isn’t ransomware, because money wasn’t the object. Wiping out data was, especially if the computer used Kaspersky anti-virus software. Yes, it really is a jungle out there.

Boot recovery options from Petya

Petya causes some damage to the operating system’s boot code. In certain cases, recovery to boot the infected machine to a clean state is possible.

Case 1: If machine is equipped with secure boot + UEFI

If an infected machine shows the message below, it means the threat couldn’t hijack the boot process and encrypt MFT. In this case, booting off a clean installation media and performing Startup Recovery can fix the issue, and the machine can be booted.

Case 2: If system is non-UEFI, installed with Kaspersky Antivirus, and in a state where boot completely fails

The ransomware attempts to destroy the first 10 sectors of the \\\\.\\PhysicalDrive0 if Kaspersky Antivirus is found or if the MBR infection is unsuccessful. Thus, boot process hijack through malicious MBR hasn’t been completed so the MFT (Master File table) contents are intact and not encrypted by the threat. In this case, the partition table information is destroyed by the threat. Given that it stores critical information needed in the booting process, a traditional boot repair process may not work. Rebuilding the partition table may require consultation with an expert.

Case 3: if a ransom message [appears on the screen] recovery is not possible

That’s why you need Win 10. To protect against your hard disk and all your precious data against being trashed.

Some of the protections Win 10 has that do not exist in earlier versions of Windows. (from articles linked from Microsoft’s Petya article.) Microsoft is working on new protections every day, but only for Win 10.

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.

Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

AppLocker’s role in the Defense in Depth strategy is to prevent the execution of software from a non-admin’s writable workspace.

In addition, Secure Boot started with Win 8.

Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.