Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Ransomware Tactic Shows How Windows EFS Can Aid Attackers

Researchers have discovered how ransomware can take advantage of the Windows Encrypting File System, prompting security vendors to release patches.

Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique.

The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways to implement ransomware. "It's important we understand what can be done so we can develop better controls around it," says co-founder and CTO Itzik Kotler. One of their goals was to find attack vectors that today's defenses lack capabilities to defend against.

Starting in Windows 2000, Microsoft began to offer EFS to business customers using the Windows Pro, Professional, Business, Ultimate, Enterprise, and Education editions. EFS enables encryption of specific folders and files keyed to the Windows user. Encryption and decryption are done in the NTFS driver, under the file system filter drivers. Part of the encryption key is stored in a file the user can access; part is computed from the account password. EFS should not be confused with BitLocker, which is a full-disk encryption feature.

Researchers created their concept ransomware in a lab environment to test whether antivirus software could defend against it. Because this malware uses EFS functionality, as opposed to the typical ransomware tactic of overwriting the file, it uses a different set of system calls.

"We thought there was good potential there for completely evading security controls," says Amit Klein, vice president of security research. "Indeed, that turned out to be the case."

The malware they developed first generates a key to be used by EFS, as well as a certificate for that key, which is added to the personal certificate store. It then sets the current EFS key to the certificate the malware created; now, this key can be invoked on specific files and folders to encrypt them. The ransomware saves the key files to memory and deletes them from two folders:

  • %APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)
  • %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\

From there, the ransomware erases the EFS data from memory, rendering the encrypted files inaccessible to the victim. Ideally, the researchers explain, it also wipes slack parts of the disk to ensure data from the EFS key files and temporary files used by EncryptFile can't be retrieved. The malware can now encrypt data it stole from the two previously mentioned files using a public key hardwired into the ransomware and send encrypted data to the attacker. Files are encrypted at a deep level of the kernel and won't be noticed by file-system filter drivers. The attack doesn't require admin rights or human interaction, Klein writes in a blog post.

Every ransomware should have a way to restore the files, Klein explains, and this one is no different. An attacker would need to decrypt the key files using their private key to restore them to their original state. When this happens, Windows will be able to read the user files.

Researchers tested the EFS ransomware on Windows 10 64-bit versions 1803, 1809, and 1903. It should also work on Windows 32-bit operating systems and on earlier version of Windows — likely Windows 8.x, Windows 7, and Windows Vista.

Inside the Patching Process
The team tested its malware with three anti-ransomware tools from well-known vendors: ESET (Internet Security 12.1.34.0), Kaspersky (Anti Ransomware Tool for Business 4.0.0.861a), and Microsoft (Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809, build 17763). All three failed to defend against this type of ransomware attack.

SafeBreach then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided its proof of concept, and found many products were affected.

"The whole business of disclosing this threat to major solution vendors is about reducing the threat of this being used in the wild at some later point," Klein says. SafeBreach disclosed the attack to companies in June and July 2019, he notes. More than six months passed between the time of disclosure to the last vendor and SafeBreach's public disclosure today.

"Some vendors took a very short while to figure out what the problem is and how they want to address it," he notes. "Other vendors took quite a bit of time to start working on addressing the issue." Most affected vendors deployed updates to defend against this attack technique.

One possible workaround for this attack is to disable ESF entirely, which is possible with admin rights. Klein advises taking this route if your organization does not actively use the feature.

As ransomware evolves, security vendors must also adapt to defend against new and changing threats. Signature-based tools "are not up to this job," Klein writes in his post, and while heuristics-based solutions hold promise, additional research is required to train them to protect against future threats.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...