Shostack + Friends Blog


Microsoft Can Fix Ransomware Tomorrow

My latest at Dark Reading draws attention to how Microsoft can fix ransomware tomorrow. An AI generate image for the blog

My latest article at Dark Reading is Microsoft Can Fix Ransomware Tomorrow. It starts:

Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.

Ransomware works by going through files, one by one, and replacing their content with an encrypted version. (Sometimes it also sends copies elsewhere, but that turns out to be slow, and sometimes sets off alarms.) Software on Microsoft Windows uses an application programming interface (API) called "CreateFile" to access files. Somewhat confusingly, CreateFile not only creates files but is also the primary way to open them.

Microsoft should rate-limit the CreateFile() API. That is to say, it should limit how often a given program can use the API. Because you can't encrypt a file until you can open it, this would have a dramatic impact on ransomware. It would slow it down, and help defensive tools catch it in time for humans to react.

Image by Midjourney: "microsoft fixing ransomware --ar 8:3"