22 January 2020

Windows encryption can be (ab)used by ransomware


Windows encryption can be (ab)used by ransomware

The research team at Safebreach Labs has demonstrated how Microsoft’s security tool can be exploited by ransomware. The researchers created concept ransomware that takes advantage of Windows Encrypting File System (EFS), a feature in Windows that provides filesystem-level encryption and protects confidential data from attackers with physical access to the computer.

The proof-of-concept code developed by the team relies on EFS to lock files on a Windows computer using an attacker-supplied key. The malware works as follows:

1. The ransomware generates a key (using AdvApi32!CryptGenKey) to be used by EFS and records the file name used by CAPI for this key.

2. The ransomware generates a certificate for this key, using Crypt32!CertCreateSelfSignCertificate, and adds it to the personal (“MY”) certificate store using Crypt32!CertAddCertificateContextToStore.

3. The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey.

4. Now the ransomware can invoke AdvApi32!EncryptFile on every file/folder to be encrypted.

5. The ransomware saves the key file (whose name was recorded in step 1) to memory and deletes it from the following two folders:

%APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)

%ProgramData% \Microsoft\Crypto\RSA\MachineKeys\

6. The ransomware flushes the EFS data from memory using the undocumented AdvApi32!FlushEfsCache (available since Windows Vista). At this time, the encrypted files become unreadable to the user (and operating system). 

7. Ideally, the ransomware wipes the slack parts of the disk to ensure that data from the deleted the EFS key files and temporary files used by EncryptFile cannot be salvaged. This can also be done before the previous step.

8. The ransomware can now encrypt the key file data collected in step 5, for example, using an asymmetric (public) key hard-wired into the ransomware and send the encrypted data to the attacker directly (or instruct the victim to do so). 

In order to restore the files, an attacker has to decrypt the key files using the private key. Then malware restores the files to original state and Windows once again is able to read the user files.

The research team has tested their EFS-based ransomware against security solutions with anti-ransomware functionality from three known vendors (ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861(a), and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) and has found that all of them have failed to stop attacks. Seeing this, researchers have provided their findings to 17 cybersecurity vendors (the full list of vendors and their responses is available in a Safebreach’s blog post). 

While many of them have already addressed this issue (with a workaround, or a fix, or an update), Microsoft said that the tech giant “considers Controlled Folder Access a defense-in-depth feature” and that it “ assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows”. The company has also added that it “may consider addressing this in a future product”.

Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020