The research team at Safebreach Labs has demonstrated how Microsoft’s security tool can be exploited by ransomware. The researchers created concept ransomware that takes advantage of Windows Encrypting File System (EFS), a feature in Windows that provides filesystem-level encryption and protects confidential data from attackers with physical access to the computer.
The proof-of-concept code developed by the team relies on EFS to lock files on a Windows computer using an attacker-supplied key. The malware works as follows:
1. The ransomware generates a key (using AdvApi32!CryptGenKey) to be used by EFS and records the file name used by CAPI for this key.
2. The ransomware generates a certificate for this key, using Crypt32!CertCreateSelfSignCertificate, and adds it to the personal (“MY”) certificate store using Crypt32!CertAddCertificateContextToStore.
3. The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey.
4. Now the ransomware can invoke AdvApi32!EncryptFile on every file/folder to be encrypted.
5. The ransomware saves the key file (whose name was recorded in step 1) to memory and deletes it from the following two folders:
%APPDATA% \Microsoft\Crypto\RSA\sid\ (where sid is the user SID)
6. The ransomware flushes the EFS data from memory using the undocumented AdvApi32!FlushEfsCache (available since Windows Vista). At this time, the encrypted files become unreadable to the user (and operating system).
7. Ideally, the ransomware wipes the slack parts of the disk to ensure that data from the deleted the EFS key files and temporary files used by EncryptFile cannot be salvaged. This can also be done before the previous step.
8. The ransomware can now encrypt the key file data collected in step 5, for example, using an asymmetric (public) key hard-wired into the ransomware and send the encrypted data to the attacker directly (or instruct the victim to do so).
In order to restore the files, an attacker has to decrypt the key files using the private key. Then malware restores the files to original state and Windows once again is able to read the user files.
The research team has tested their EFS-based ransomware against security solutions with anti-ransomware functionality from three known vendors (ESET Internet Security 18.104.22.168, Kaspersky Anti Ransomware Tool for Business 22.214.171.1241(a), and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) and has found that all of them have failed to stop attacks. Seeing this, researchers have provided their findings to 17 cybersecurity vendors (the full list of vendors and their responses is available in a Safebreach’s blog post).
While many of them have already addressed this issue (with a workaround, or a fix, or an update), Microsoft said that the tech giant “considers Controlled Folder Access a defense-in-depth feature” and that it “ assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows”. The company has also added that it “may consider addressing this in a future product”.