22 January 2020

Windows encryption can be (ab)used by ransomware


Windows encryption can be (ab)used by ransomware

The research team at Safebreach Labs has demonstrated how Microsoft’s security tool can be exploited by ransomware. The researchers created concept ransomware that takes advantage of Windows Encrypting File System (EFS), a feature in Windows that provides filesystem-level encryption and protects confidential data from attackers with physical access to the computer.

The proof-of-concept code developed by the team relies on EFS to lock files on a Windows computer using an attacker-supplied key. The malware works as follows:

1. The ransomware generates a key (using AdvApi32!CryptGenKey) to be used by EFS and records the file name used by CAPI for this key.

2. The ransomware generates a certificate for this key, using Crypt32!CertCreateSelfSignCertificate, and adds it to the personal (“MY”) certificate store using Crypt32!CertAddCertificateContextToStore.

3. The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey.

4. Now the ransomware can invoke AdvApi32!EncryptFile on every file/folder to be encrypted.

5. The ransomware saves the key file (whose name was recorded in step 1) to memory and deletes it from the following two folders:

%APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)

%ProgramData% \Microsoft\Crypto\RSA\MachineKeys\

6. The ransomware flushes the EFS data from memory using the undocumented AdvApi32!FlushEfsCache (available since Windows Vista). At this time, the encrypted files become unreadable to the user (and operating system). 

7. Ideally, the ransomware wipes the slack parts of the disk to ensure that data from the deleted the EFS key files and temporary files used by EncryptFile cannot be salvaged. This can also be done before the previous step.

8. The ransomware can now encrypt the key file data collected in step 5, for example, using an asymmetric (public) key hard-wired into the ransomware and send the encrypted data to the attacker directly (or instruct the victim to do so). 

In order to restore the files, an attacker has to decrypt the key files using the private key. Then malware restores the files to original state and Windows once again is able to read the user files.

The research team has tested their EFS-based ransomware against security solutions with anti-ransomware functionality from three known vendors (ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861(a), and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) and has found that all of them have failed to stop attacks. Seeing this, researchers have provided their findings to 17 cybersecurity vendors (the full list of vendors and their responses is available in a Safebreach’s blog post). 

While many of them have already addressed this issue (with a workaround, or a fix, or an update), Microsoft said that the tech giant “considers Controlled Folder Access a defense-in-depth feature” and that it “ assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows”. The company has also added that it “may consider addressing this in a future product”.

Back to the list

Latest Posts

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Exchange servers admins are urged to patch their servers before hackers could get to them.
28 February 2020
New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020