Windows 10 S Isn't Immune to Ransomware Despite 'Streamlined' Security and Performance

In a blog post from June 8, Microsoft's Malware Protection Center (MMPC) wrote about how catastrophic the effects of a widespread ransomware infection can be. In the wake of the horrific WannaCry outbreak during which hospitals resorted to turning down patients and rescheduling life-saving surgical operations because their computer systems were down, it's safe to say that there's no sensible human being that would try to argue with that. A couple of paragraphs later, however, MMPC's people say that 'no known ransomware works against Windows 10 S.' This bold claim is more debatable.

Windows 10 Poised As Being Ransomware-Proof

Windows 10 S is, in Microsoft's own words, "streamlined for security and performance." The configuration should be much more secure than the rest of Windows' iterations because it doesn't allow running applications that weren't downloaded from the Windows Store. Considering the problems users have experienced with fake apps and scams, some might say that Windows 10 S' claims of greater protection are nothing more than a ploy to drive more people to Microsoft's equivalent of Google Play. The truth is, however, we've yet to see or hear about ransomware being distributed through the Windows Store, so in that particular respect, the restriction should work. There are other precautions that should hamper an attack from malicious actors. Access to scripting tools is denied, and the same goes for Windows' Command Prompt and PowerShell. All in all, the claim that Windows 10 S is ransomware-proof might just hold water. That's the theory.

Researchers Investigate Windows 10 S Ransomware Protection Claims

The reality, as you might have guessed already, is a little bit different. Zack Whittaker of ZDNet was really keen on putting MMPC's claims to the test which is why he took one of Microsoft's Surface Windows 10 S laptops, installed all the updates, and then told Matthew Hickey to do his worst. Hickey is a security researcher and co-founder of Hacker House which means that he knows what he's talking about. Three hours later, when the experiment was over, he said that he was surprised by how easy it was to break through Windows 10 S' defenses.

The inability to execute shell commands or regular files that weren't downloaded from the Windows Store meant that he had to resort to the humble macro-laced Word document. There was one problem: because of their extensive use by black hats, by default, macros are blocked on files downloaded from the Internet. When they're placed on network shares, however, Windows trusts them, and with some social engineering, coercing the victim into enabling the malicious script shouldn't be that difficult.

The Fight Against Ransomware Ensues Despite Windows 10 S’ Feat

The macros Hickey wrote injected a DLL into one of the running processes. This is how he was able to get around the Windows Store restrictions. Then, he used a popular penetration testing tool called Metasploit to download a payload which used the same DLL injection technique to take over another process with System privileges. As Hickey put it, from there, it was "game over."

The researcher was able to turn off Windows Defender and do all manner of things, including viewing the Wi-Fi password in plain text. In theory, he could've infected Whittaker's laptop with ransomware, but he decided that he had proven the point and that risking the rest of the systems on the network is not necessary.

It should be pointed out that the mock attack didn't employ any unknown exploits (the so-called zero-days) or any advanced malware. All it took was some poking around and a few publicly available tools. Nevertheless, Whittaker and Hickey privately contacted Microsoft and asked them whether they would reconsider the bold claims they made in their June 8's blog post. Redmond refused to acknowledge that ransomware can indeed be deployed on the S edition of Windows 10. As always, you are the one who should draw all the conclusions.