Windows Defender ATP to defend against Ransomware infections in Corporate Networks

Today several corporates are victims of Ransomware attacks, and they are struggling hard with this ever-growing risk of ransomware infections. But did you know Windows 10 could actually help these enterprises to detect and stop the further spread of ransomware infection much more quickly?

Yes, a recent Microsoft blog post published on Monday shows how Windows Defender ATP (Advanced Threat Protection) can help businesses better understand early cases of ransomware attacks, and use this information to protect their network.

Windows Defender ATP offers Ransomware protection

Windows Defender ATP offers Ransomware protection

Windows Defender Advanced Threat Protection or Windows Defender ATP is a security service which enables enterprises to detect, investigate, and respond to advanced threats posed on their networks. Following is the combination of technologies used by Windows Defender ATP, these are built into Windows 10 and Microsoft’s robust cloud service:

Following is the combination of technologies used by Windows Defender ATP, these are built into Windows 10 and Microsoft’s robust cloud service:

  • Endpoint Behavioral Sensors

The Endpoint behavioral sensors are embedded in Windows 10. These sensors collect and process behavioral signals from the operating system and further send the sensor data to the private, isolated, cloud instance of the Windows Defender ATP.

  • Cloud Security Analytics

Leveraging Big Data, machine learning, and unique Microsoft optics across the Windows ecosystem behavioral signals are decoded into insights, detections, and recommended responses to advanced threats.

  • Threat Intelligence

Threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when anything suspicious is observed in the collected sensor data.

Similar to physical illness, catching a cyber-security infection at the early stage is the key to mitigating the potential damage and also to avoid complex problems. With Windows Defender ATP this becomes practically possible.

Windows Defender ATP provides:

Windows Defender ATP leverages the Microsoft technology and expertise to detect high-end cyber-attacks. It provides-

  1. Windows Defender ATP provides behavior-based, cloud-powered, advanced attack detection. It helps to detect post-breach attacks and provides actionable, correlated alerts for known and unknown rivals.
  2. Through the rich machine timeline, Windows Defender ATP makes it possible to easily investigate the scope of the breach or suspected behavior on any machine.
  3. Windows Defender ATP has a built in the unique threat intelligence knowledge base which provides actor details and committed context for each and every threat to Intel-based detection.

Benefit from post-breach detection solutions

The blog post says,

“As attacks reach the post-breach or post-infection layer—when endpoint antimalware fails to stop a ransomware infection—enterprises can benefit from post-breach detection solutions that provide comprehensive artifact information and the ability to quickly pivot investigations using these artifacts.”

Patient Zero or the initial infection

The blog post says that some of the more prevalent families of ransomware campaigns can actually last for “days or even weeks, all the while employing similar files and techniques.” But, if the affected business can inspect the “Patient Zero,” or the initial infection, they can “effectively stop ransomware epidemics,”. This means if an antimalware tool in the first place fails to prevent the actual attack, Windows 10 should be able to prevent it from growing. It does that by turning it into an epidemic. This can be done because Windows Defender ATP can point out the original infections and also work to help protect the network and stop the subsequent attacks.

Cerber ransomware

The research looks in detail on a specific type of malware known as the Cerber ransomware. This was widespread during the holiday season. When the test was performed, Cerber ransomware was downloaded, when it tried to launch a PowerShell command, the same was quickly detected by the Windows Defender ATP.

“Windows Defender ATP also generated an alert when the PowerShell script connected to a TOR anonymization website through a public proxy to download an executable. Security Operations Center (SOC) personnel could use such alerts to get the source IP and block this IP address at the firewall, preventing other machines from downloading the executable.”

Generates alerts

Windows Defender ATP was seen generating active alerts when the ransomware tried to delete system restore points and volume shadow copies. Alerts are designed to give security pros contextual information and also help to focus an investigation on preventing an outbreak.

A host of new updates coming soon

According to the post, Windows Defender will get a host of new defenses. This would include new sensors to detect in-memory malware and kernel level exploits, the ability to quarantine and prevent subsequent execution of files and better tools to isolate infected machines and conduct forensics.

Now read about the Ransomware protection features in Windows 10 here.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 6 =