Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #182549

Re: Dealing with Windows Security's "Ransomware protection"

From Ed Cryer <ed@somewhere.in.the.uk>
Newsgroups alt.comp.os.windows-10
Subject Re: Dealing with Windows Security's "Ransomware protection"
Date 2025-02-25 19:02 +0000
Organization A noiseless patient Spider
Message-ID <vpl443$24rst$1@dont-email.me> (permalink)
References <vpkfnq$1vpet$2@dont-email.me> <vpklel.l4s.1@ID-201911.user.individual.net> <vpkn9e$21ock$1@dont-email.me> <vpl2ic$24lmg$1@dont-email.me>

Show all headers | View raw

Paul wrote:
> On Tue, 2/25/2025 10:23 AM, Ed Cryer wrote:
>> Frank Slootweg wrote:
>>> John C. <r9jmg0@yahoo.com> wrote:
>>>> Windows Security's "Ransomware protection" is about as much of a PITA as
>>>> User Account Control.
>>> [...]
>>>> What do YOU think about Ransomware protection?
>>>
>>>     Not much. On my Windows 11 system, 'Controlled folder access' is *off*
>>> and I don't think I turned it off, so I assume 'off' is the default.
>>>
>>>     I also checked on my wife's Windows 10 system and 'Controlled folder
>>> access' is off on that system as well. So the default *is* 'off',
>>> because I would never lessen security on that system.
>>
>> It's off in my Win10 as well; default setting.
>> I wonder how it actually functions to detect ransomware?
>>
>> My own protection is a well-kept backup image.
>>
>> Ed
> 
> Ransomware attack vectors and methods:
> 
> Originally, naively named executables, blockable by AppLocker.
> 
> Most common attack vector today, is targeted phishing (hospitals, town governments).
> 
> Used to have a "service model". The infected punter was given an email
> address, to converse with. Talk the service agent "down from three
> Bitcoins to two Bitcoins". (That tells you this happened quite a long
> time ago -- Bitcoins were at a low of $3 each at one time.) The service
> agent would send you your key, you would decrypt your files.
> 
> The Black Hats found this model too expensive. It took a lot of service
> agents. The service agent took a cut, and so on.
> 
> Information on the latest (personalized) threats is slim.
> 
> Likely to be via phishing (clicking the GoDaddy attachment concerning domain renewal).
> 
> Ransomware hides stealthily for one month. It no longer attacks immediately.
> It seeks to understand what defenses you have (such as backup drives).
> 
> Attack can be file-by-file, but that is old fashioned. Each file has
> an extension added to the end of it, indicating it has been attacked.
> The .xls and .doc are attacked first, as OS files are worthless.
> 
>      taxes.xls.osirus      myproposal.doc.osirus
> 
> A second attack mechanism, is to change the FDE key and cause
> the drive to instantly wink out. The part that I don't understand,
> is why would the previous FDE key be readable ? Making it readable,
> encourages this sort of attack.
> 
> *******
> 
> The proposed defense mechanisms don't appear to address all the
> attack methods. Some will be hidden to us (such as Windows Defender
> being "curious" about any agent approaching an FDE key). They tell us
> that root kits are not all that common any more, but who knows whether
> they go as a one-two punch for Ransomware.
> 
> Maybe a safer backup, is to manually boot a Macrium CD and make
> a full to the external drive. Then shut down and disconnect the external
> until next time.
> 
> What possibilities exist, for attack via UEFI ?
> 
>     Paul

Thanks for the reply, Paul.
May I pose two questions?
1. Why can't normal AV detect those lurking ransomware files?
2. Do you think my Macrium backup image and Macrium Reflect booting will 
be sufficient in the event of ransomware?


Ed

Back to alt.comp.os.windows-10 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-25 05:14 -0800
  Re: Dealing with Windows Security's "Ransomware protection" Frank Slootweg <this@ddress.is.invalid> - 2025-02-25 13:52 +0000
    Re: Dealing with Windows Security's "Ransomware protection" Ed Cryer <ed@somewhere.in.the.uk> - 2025-02-25 15:23 +0000
      Re: Dealing with Windows Security's "Ransomware protection" Paul <nospam@needed.invalid> - 2025-02-25 13:35 -0500
        Re: Dealing with Windows Security's "Ransomware protection" Ed Cryer <ed@somewhere.in.the.uk> - 2025-02-25 19:02 +0000
          Re: Dealing with Windows Security's "Ransomware protection" Paul <nospam@needed.invalid> - 2025-02-25 16:09 -0500
      Re: Dealing with Windows Security's "Ransomware protection" ant@zimage.comANT (Ant) - 2025-02-25 21:27 +0000
  Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-25 10:08 -0600
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:32 -0800
      Re: Dealing with Windows Security's "Ransomware protection" wasbit <wasbit@nowhere.com> - 2025-02-28 09:37 +0000
  Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-25 11:37 -0500
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:35 -0800
      Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-27 10:20 -0500
        Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 07:31 -0800
          Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-27 12:11 -0500
            Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-28 05:17 -0800
              Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-28 11:21 -0500
                Re: Dealing with Windows Security's "Ransomware protection" "Allan Higdon" <allanh@vivaldi.net> - 2025-02-28 15:39 -0600
                Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-28 22:29 -0500
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 05:59 -0800
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 05:55 -0800
              Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-28 11:55 -0600
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 06:03 -0800
                Re: Dealing with Windows Security's "Ransomware protection" ant@zimage.comANT (Ant) - 2025-03-03 00:46 +0000
                Re: Dealing with Windows Security's "Ransomware protection" Hank Rogers <Hank@nospam.invalid> - 2025-03-02 19:19 -0600
        Re: Dealing with Windows Security's "Ransomware protection" Frank Slootweg <this@ddress.is.invalid> - 2025-02-27 16:12 +0000
      Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-27 14:03 -0600
  Re: Dealing with Windows Security's "Ransomware protection" ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-02-25 11:57 -0700
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:38 -0800
      Re: Dealing with Windows Security's "Ransomware protection" ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-02-28 10:56 -0700
        Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 06:05 -0800

csiph-web