November 11, 2016 9:05 am

Defending against ransomware with Windows 10 Anniversary Update

By / Partner Director, Windows & Devices Group, Security & Enterprise

Ransomware is one of the latest malware threats that is attracting an increasing number of cyber-criminals who are looking to profit from it. In fact, in the last 12 months, the number of ransomware variants have more than doubled. Its premise is deceptively simple: infect users’ devices, and then deny them access to their devices or files unless they pay a ransom. However, the methods and means attackers are using to perpetrate ransomware attacks are increasingly varied, complex and costly.

Microsoft is committed to helping protect people against threats to their safety and security through our strategy of Prevent, Detect and Respond. Using this approach, Windows 10 Anniversary Update is more ransomware-resilient than ever before.

Here are some of the many ways we’re fighting back against ransomware:

  • Six of the top 10 ransomware threats use browser, or browser-plugin-related exploits, so we made it harder for malware authors to exploit Windows 10 and Microsoft Edge.
  • We increased detection and blocking capability in our email services, increasing the number of ransomware-related attachments being blocked.
  • We added new technology to Windows Defender to reduce detection time to seconds, increasing our ability to respond before the infection can occur.
  • We released Windows Defender Advanced Threat Protection which can be combined with Office 365 Advanced Threat Protection to make it easier for companies to investigate and respond to ransomware attacks.

Combined with other significant security advances, such as Credential Guard, Windows Hello and others, we’ve made Windows 10 Anniversary Update the most secure Windows ever. Here are a few examples of how we achieved this:


Browser hardening. Adobe Flash Player is a common browser plug-in that has been used by exploit writers to download ransomware, so we updated Microsoft Edge to run Flash Player in an isolated container. We have also locked down Microsoft Edge so that an exploit running in the browser cannot execute another program. These improvements block malware from silently downloading and executing additional payloads on customers’ systems.

Email protection. A major distribution channel for ransomware is via email file attachments. To help protect customers who use Microsoft email services against such threats, we have made investments in our email services that help block ransomware. We advanced our machine learning models and heuristics to catch malware distributed in email, and developed a faster signature delivery channel to update Windows Defender running in our email services more quickly. The result is improved protection levels for our consumer and commercial productivity suite customers.

Machine learning. Enhancements to our cloud infrastructure let our antimalware researchers extend machine learning models in a way that we can identify and block malware more quickly. Before the Anniversary Update, the process of collecting a suspicious program for analysis, classifying it and responding with protection generally took hours. Now it takes minutes.


New and improved Windows Defender. Windows Defender, which is enabled by default, can respond to new threats faster using improved cloud protection and automatic sample submission features to block malware “at first sight”. We’ve also improved Windows Defender’s behavioral heuristics to help determine if a file is performing ransomware-related activities, and then detect and take action more quickly.


Post-breach defense. In Windows 10 Anniversary Update, we launched Windows Defender Advanced Threat Protection (ATP) service which adds the ability for companies to detect and respond to attacks that have made it through other defensive layers. Combining security events collected from the machines with cloud analytics to detect signs of attacks, Windows Defender ATP surfaces alerts to the enterprise security team. Should ransomware affect corporate endpoints, the Windows Defender ATP console can provide important details that can help security responders quickly understand how the ransomware entered the device, identify the damage it has created, and locate where it might be moving next in the network. When combined with Office 365 Advanced Threat Protection, these services share signals to provide a more holistic view of what is attacking the enterprise.

Protecting against Ransomware

We have made significant improvements in protecting customers from ransomware in the Windows 10 Anniversary Update. To help protect against ransomware and other types of cyber threats, we suggest you:

The Block at First Sight cloud protection feature in Windows Defender is enabled by default. For IT Pros, if it was turned off we recommend turning it back on, and we also recommend incorporating another layer of defense through Windows Defender ATP and Office 365 ATP.  For more information about each of these technologies and techniques and how they work, please download our white paper Ransomware Protection in Windows 10 Anniversary Update.

Cyber threats won’t stop, and neither will we. As long as ransomware remains a threat, we will continue to enhance our defenses to better protect your Windows 10 devices.

Additional Resources