Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/21/2020
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Ransomware Tactic Shows How Windows EFS Can Aid Attackers

Researchers have discovered how ransomware can take advantage of the Windows Encrypting File System, prompting security vendors to release patches.

Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique.

The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways to implement ransomware. "It's important we understand what can be done so we can develop better controls around it," says co-founder and CTO Itzik Kotler. One of their goals was to find attack vectors that today's defenses lack capabilities to defend against.

Starting in Windows 2000, Microsoft began to offer EFS to business customers using the Windows Pro, Professional, Business, Ultimate, Enterprise, and Education editions. EFS enables encryption of specific folders and files keyed to the Windows user. Encryption and decryption are done in the NTFS driver, under the file system filter drivers. Part of the encryption key is stored in a file the user can access; part is computed from the account password. EFS should not be confused with BitLocker, which is a full-disk encryption feature.

Researchers created their concept ransomware in a lab environment to test whether antivirus software could defend against it. Because this malware uses EFS functionality, as opposed to the typical ransomware tactic of overwriting the file, it uses a different set of system calls.

"We thought there was good potential there for completely evading security controls," says Amit Klein, vice president of security research. "Indeed, that turned out to be the case."

The malware they developed first generates a key to be used by EFS, as well as a certificate for that key, which is added to the personal certificate store. It then sets the current EFS key to the certificate the malware created; now, this key can be invoked on specific files and folders to encrypt them. The ransomware saves the key files to memory and deletes them from two folders:

  • %APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)
  • %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\

From there, the ransomware erases the EFS data from memory, rendering the encrypted files inaccessible to the victim. Ideally, the researchers explain, it also wipes slack parts of the disk to ensure data from the EFS key files and temporary files used by EncryptFile can't be retrieved. The malware can now encrypt data it stole from the two previously mentioned files using a public key hardwired into the ransomware and send encrypted data to the attacker. Files are encrypted at a deep level of the kernel and won't be noticed by file-system filter drivers. The attack doesn't require admin rights or human interaction, Klein writes in a blog post.

Every ransomware should have a way to restore the files, Klein explains, and this one is no different. An attacker would need to decrypt the key files using their private key to restore them to their original state. When this happens, Windows will be able to read the user files.

Researchers tested the EFS ransomware on Windows 10 64-bit versions 1803, 1809, and 1903. It should also work on Windows 32-bit operating systems and on earlier version of Windows — likely Windows 8.x, Windows 7, and Windows Vista.

Inside the Patching Process
The team tested its malware with three anti-ransomware tools from well-known vendors: ESET (Internet Security 12.1.34.0), Kaspersky (Anti Ransomware Tool for Business 4.0.0.861a), and Microsoft (Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809, build 17763). All three failed to defend against this type of ransomware attack.

SafeBreach then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided its proof of concept, and found many products were affected.

"The whole business of disclosing this threat to major solution vendors is about reducing the threat of this being used in the wild at some later point," Klein says. SafeBreach disclosed the attack to companies in June and July 2019, he notes. More than six months passed between the time of disclosure to the last vendor and SafeBreach's public disclosure today.

"Some vendors took a very short while to figure out what the problem is and how they want to address it," he notes. "Other vendors took quite a bit of time to start working on addressing the issue." Most affected vendors deployed updates to defend against this attack technique.

One possible workaround for this attack is to disable ESF entirely, which is possible with admin rights. Klein advises taking this route if your organization does not actively use the feature.

As ransomware evolves, security vendors must also adapt to defend against new and changing threats. Signature-based tools "are not up to this job," Klein writes in his post, and while heuristics-based solutions hold promise, additional research is required to train them to protect against future threats.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.