EFS Ransomware Slips by AV Products

  /     /     /  
Publicated : 23/11/2024   Category : security


EFS Ransomware Slips by AV Products


Inside of Windows is a methodology called Encrypting File System. It works on individual files or folders, rather than at the whole disk level like BitLocker does.



Inside of Windows is a methodology called Encrypting File System (EFS). It works on individual files or folders, rather than at the whole disk level like BitLocker does. Researchers at SafeBreach
have discovered
that it can be used to create a new kind of ransomware as well.
EFS shows up in the business editions of Windows (like Pro, Professional, Business, Ultimate, Enterprise and Education). The encryption/decryption is carried out in the NTFS driver. Encryption/decryption is transparent to the user.
The SafeBreachers came up with a way for EFS to function as the encryptor as well as the decrypt in a ransomware scheme. The eight steps of its operation are detailed in their blog, if those details are germane.
But, the major effect of all this is that a new sort of ransomware was found to be practical. Worse (for users) is the range of affected versions the researchers found to be vulnerable. They said that The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista). Thats pretty much everything.
None of the Windows versions would detect the EFS ransomware as it functioned. Frankly, this is to be expected since the form and functionality of the EFS ransomware is novel.
The ransomware has functionality that contributed to it successfully carrying out its malicious mission. Because the files are encrypted at the NTFS driver level, it goes unnoticed by file-system filter drivers. Also, EFS ransomware doesnt require administrator rights. It will work well in limited user accounts. Finally, the EFS ransomware doesnt require human interaction. No social engineering to assure an action is needed.
But there are some shortcomings as well. There is a visible indicator (a small yellow padlock icon displayed at the top right corner of the file/folder main icon) that shows that something is going on during encryption.
If a Data Recovery Agent has been previously defined, it will make recovery trivial, according to SafeBreach.
EFS can be turned off (and defeat the ransomware) for a machine by setting the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFSEfsConfiguration to 1. Accessing this key requires administrator rights.
Late last year, SafeBreach shared what they were doing with major AV vendors. Some vendors (like F-Secure and Panda) would detect the approach and flag it, but most other vendors were forced to issue software updates to account for the possibility it presented.
Microsoft just huffed about it. They replied, Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows.
SafeBreach summarizes the problem succinctly. Signature-based solutions are not up to this job, they say, but heuristics-based (and even more so -- generic technology-based) solutions seem more promising, but additional proactive research is required in order to train them against future threats.


Last News

▸ Black Hat USA 2013, talk on NAND & Windows 8 Secure Boot hacking. ◂
Discovered: 26/12/2024
Category: security

▸ Security Talk: 7 Ways To Grab Users Attention ◂
Discovered: 26/12/2024
Category: security

▸ Gartner: Secure Mobile Users Early ◂
Discovered: 26/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EFS Ransomware Slips by AV Products