Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Ransomware Tactic Shows How Windows EFS Can Aid Attackers

Researchers have discovered how ransomware can take advantage of the Windows Encrypting File System, prompting security vendors to release patches.

Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique.

The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways to implement ransomware. "It's important we understand what can be done so we can develop better controls around it," says co-founder and CTO Itzik Kotler. One of their goals was to find attack vectors that today's defenses lack capabilities to defend against.

Starting in Windows 2000, Microsoft began to offer EFS to business customers using the Windows Pro, Professional, Business, Ultimate, Enterprise, and Education editions. EFS enables encryption of specific folders and files keyed to the Windows user. Encryption and decryption are done in the NTFS driver, under the file system filter drivers. Part of the encryption key is stored in a file the user can access; part is computed from the account password. EFS should not be confused with BitLocker, which is a full-disk encryption feature.

Researchers created their concept ransomware in a lab environment to test whether antivirus software could defend against it. Because this malware uses EFS functionality, as opposed to the typical ransomware tactic of overwriting the file, it uses a different set of system calls.

"We thought there was good potential there for completely evading security controls," says Amit Klein, vice president of security research. "Indeed, that turned out to be the case."

The malware they developed first generates a key to be used by EFS, as well as a certificate for that key, which is added to the personal certificate store. It then sets the current EFS key to the certificate the malware created; now, this key can be invoked on specific files and folders to encrypt them. The ransomware saves the key files to memory and deletes them from two folders:

  • %APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)
  • %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\

From there, the ransomware erases the EFS data from memory, rendering the encrypted files inaccessible to the victim. Ideally, the researchers explain, it also wipes slack parts of the disk to ensure data from the EFS key files and temporary files used by EncryptFile can't be retrieved. The malware can now encrypt data it stole from the two previously mentioned files using a public key hardwired into the ransomware and send encrypted data to the attacker. Files are encrypted at a deep level of the kernel and won't be noticed by file-system filter drivers. The attack doesn't require admin rights or human interaction, Klein writes in a blog post.

Every ransomware should have a way to restore the files, Klein explains, and this one is no different. An attacker would need to decrypt the key files using their private key to restore them to their original state. When this happens, Windows will be able to read the user files.

Researchers tested the EFS ransomware on Windows 10 64-bit versions 1803, 1809, and 1903. It should also work on Windows 32-bit operating systems and on earlier version of Windows — likely Windows 8.x, Windows 7, and Windows Vista.

Inside the Patching Process
The team tested its malware with three anti-ransomware tools from well-known vendors: ESET (Internet Security 12.1.34.0), Kaspersky (Anti Ransomware Tool for Business 4.0.0.861a), and Microsoft (Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809, build 17763). All three failed to defend against this type of ransomware attack.

SafeBreach then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided its proof of concept, and found many products were affected.

"The whole business of disclosing this threat to major solution vendors is about reducing the threat of this being used in the wild at some later point," Klein says. SafeBreach disclosed the attack to companies in June and July 2019, he notes. More than six months passed between the time of disclosure to the last vendor and SafeBreach's public disclosure today.

"Some vendors took a very short while to figure out what the problem is and how they want to address it," he notes. "Other vendors took quite a bit of time to start working on addressing the issue." Most affected vendors deployed updates to defend against this attack technique.

One possible workaround for this attack is to disable ESF entirely, which is possible with admin rights. Klein advises taking this route if your organization does not actively use the feature.

As ransomware evolves, security vendors must also adapt to defend against new and changing threats. Signature-based tools "are not up to this job," Klein writes in his post, and while heuristics-based solutions hold promise, additional research is required to train them to protect against future threats.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5605
PUBLISHED: 2020-09-18
Directory traversal vulnerability in WHR-G54S firmware 1.43 and earlier allows an attacker to access sensitive information such as setting values via unspecified vectors.
CVE-2020-5606
PUBLISHED: 2020-09-18
Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page.
CVE-2020-5628
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
CVE-2020-5629
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via a malicious App created by the third party. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
CVE-2020-25756
PUBLISHED: 2020-09-18
** DISPUTED ** A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice."