Thought leadership. threat analysis, news and alerts.
Researchers Warn Windows EFS Could be Abused by Ransomware Attackers
Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.
What Is EFS?
EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.
EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.
In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.
Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.
Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.
Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:
Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.
Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.
Prevention and Mitigating Measures Against EFS-Based Ransomware
Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.
Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”
Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 220.127.116.11. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”
Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”
McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".
In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.
Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.
Steve E. Driz, I.S.P., ITCP