Safebreach Labs Specialists reportedthat attackers can use the Windows Encrypting File System ("Encrypted File System", EFS) for their needs, and this will help not only to encrypt files, but also to avoid the attention of anti-virus solutions.
EFS has been part of Windows operating systems since the release of Windows 2000. Unlike full BitLocker encryption, EFS can selectively encrypt individual files or folders. Researchers are now warning that EFS could be of considerable interest to criminals. The fact is that using the "native" functions of Windows itself can confuse security solutions that will eventually lose sight of the encryptor.
To start the attack, the ransomware will need to generate a key for EFS using AdvApi32! CryptGenKey. Then generate the certificate using Crypt32! CertCreateSelfSignCertificate and add it to the certificate store via Crypt32! CertAddCertificateContextToStore. An EFS key is assigned for this certificate using AdvApi32! SetUserFileEncryptionKey.
As a result, the ransomware gets the opportunity to use AdvApi32! EncryptFile to encrypt any file and folder. The next step is to save the key file to memory and delete it from% APPDATA% Microsoft Crypto RSA (user SID) and% ProgramData% Microsoft Crypto RSA MachineKeys . Then the EFS data is erased from memory using the undocumented AdvApi32! FlushEfsCache and the encrypted files become unreadable to the user and the OS. The ransomware can also “wipe” free parts of the disk to ensure that data from deleted key files and temporary files are not restored.
With a final chord, the malware can encrypt the key file data and send the decryption key to the attacker. As a result, the only way to decrypt the affected files is to use the private key of the attacker.
Researchers successfully tested the EFS encryptor created for tests on 64-bit versions of Windows 10 1803, 1809, and 1903. Analysts also write that the malware should work with 32-bit versions of Windows and earlier versions of the OS (Windows 8.x, Windows 7 and Windows Vista).
The test malware was tested in combination with ESET Internet Security 188.8.131.52, Kaspersky Anti Ransomware Tool for Business 184.108.40.2061 (a), as well as MS Windows 10 Controlled Folder Access in the 64-bit version of Windows 10 1809 (build 17763). None of these solutions detected an attack and a threat, but this was to be expected, because the cryptographer used legitimate functions and manipulated system logic.
Researchers immediately informed 17 major manufacturers of security solutions about their findings, showing them their proof-of-concept. Most of them (10 out of 17) recognized the problem and have already made corrections to their products. The following is the reaction of companies informed about the problem.
- Avast: They introduced the patch into the antivirus version 19.8 and paid researchers a reward of $ 1,000.
- Avira: considered that a potential defense bypass depends on the individual use scenario and can hardly be considered a “point of failure” worthy of attention.
- Bitdefender: since January 10, the fix has been applied to Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security version 0.14.85. In Bitdefender Free Edition, the fix is currently only available in notification mode and will require further configuration.
- Check point: The fix is already available in Corporate Endpoint Client E82.30 and will be available in the next few days in the new Anti-Ransomware Zone Alarm release.
- D7xTech: developer notified July 5, 2019, status unknown.
- ESET: The company is currently working on an update and encourages customers to contact Customer Advisory 2020-0002 for more information on mitigation options.
- F-secure: already detects EFS malware like W32 / Malware! Online and Trojan.TR/Ransom.Gen.
- Gridinsoft: Only has a beta version of the product released in 2016. Since then, it has not been updated, and it has not come to a full release. Therefore, the solution protects only from those ransomware that were popular until 2016.
- IObit: The fix is available in version 7.2.
- Kaspersky: all products of the company are updated and now protect against the attacks described by researchers.
- Mcafee: released anti-exploit protection for researchers in the form of Anti-Virus (AV) DAT, available for both corporate and home users. Corporate clients using MVision EDR have a special rule for detecting such attacks. Using EDR, an administrator can scan his machines for malvari, and then block its execution or delete it.
- Microsoft: rated the problem described by experts as a moderate threat that does not correspond Microsoft Security Servicing Criteria for Windows. Microsoft may consider fixing this issue in future products.
- Panda security: reports that the work of Panda Adaptive Defense products is not based on templates, but on the classification of all files and processes running on the machine. Thus, any attack using suspicious files and processes will be detected and blocked.
- Sophos: Sophos Intercept X and all customers using this product have been updated and are protected.
- Symantec: created two signatures to detect such attacks to mitigate the problem.
- TrendMicro: Currently working on creating protection against such attacks, but for now recommends users disable EFS.
- Webroot: thanks the experts at SafeBreach Labs and assures that it will now be fully armed with such attacks.