Ransomware is a serious threat to individuals, SOHOs/SMBs and large enterprises. Consequently, many security solutions are now available, which attempt to address the ransomware threat. In this blog post we describe EFS-based ransomware (ransomware which abuses the Windows Encrypting File System), which is a new concept we developed in Safebreach Labs. We put 3 anti-ransomware solutions from well-known vendors to the test against our EFS ransomware. All 3 solutions failed to protect against this threat. We then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided them our PoC, and discovered that many products were affected. Most affected vendors deployed updates to address this new technique. We conclude that the EFS ransomware is an alarming concept and a possible new threat in the ransomware horizon.
The ransomware can now encrypt the key file data collected in step 5, for example, using an asymmetric (public) key hard-wired into the ransomware and send the encrypted data to the attacker directly (or instruct the victim to do so).
EFS Ransomware
The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista).
We ran our EFS ransomware on virtualized Windows 10 machines, each with a folder of \600MB of user files (a combination of JPG, PNG, MP4, DOC, XLS, DOCX, XLSX, SQL, CSV files of various names and sizes, with meaningful data in them), which was designated for protection (if relevant for the tested solution/feature).
The tests involved using the proof-of-concept ransomware code to generate a key, which was used as an ESF key, and a certificate that would be added to the personal certificate store. Once the key had been invoked on folders and files marked for deletion, researchers saved it to memory and removed it from several areas of the system. These included %APPDATA% \Microsoft\Crypto\RSA\[userSID]\ as well as %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\.
To make sure encrypted files were rendered unreadable, researchers then flushed EFS data from memory. At this point, a hard-wired public key in the ransomware encrypted the key file data and attempted to wipe slack parts of the disk. Attackers would then be able to tell victims their data is essentially being held hostage.
Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique.
The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways to implement ransomware. "It's important we understand what can be done so we can develop better controls around it," says co-founder and CTO Itzik Kotler. One of their goals was to find attack vectors that today's defenses lack capabilities to defend against.
Researchers created their concept ransomware in a lab environment to test whether antivirus software could defend against it. Because this malware uses EFS functionality, as opposed to the typical ransomware tactic of overwriting the file, it uses a different set of system calls.
The malware they developed first generates a key to be used by EFS, as well as a certificate for that key, which is added to the personal certificate store. It then sets the current EFS key to the certificate the malware created; now, this key can be invoked on specific files and folders to encrypt them. The ransomware saves the key files to memory and deletes them from two folders:
From there, the ransomware erases the EFS data from memory, rendering the encrypted files inaccessible to the victim. Ideally, the researchers explain, it also wipes slack parts of the disk to ensure data from the EFS key files and temporary files used by EncryptFile can't be retrieved. The malware can now encrypt data it stole from the two previously mentioned files using a public key hardwired into the ransomware and send encrypted data to the attacker. Files are encrypted at a deep level of the kernel and won't be noticed by file-system filter drivers. The attack doesn't require admin rights or human interaction, Klein writes in a blog post.Every ransomware should have a way to restore the files, Klein explains, and this one is no different. An attacker would need to decrypt the key files using their private key to restore them to their original state. When this happens, Windows will be able to read the user files.
Inside the Patching Process The team tested its malware with three anti-ransomware tools from well-known vendors: ESET (Internet Security 12.1.34.0), Kaspersky (Anti Ransomware Tool for Business 4.0.0.861a), and Microsoft (Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809, build 17763). All three failed to defend against this type of ransomware attack.
As ransomware evolves, security vendors must also adapt to defend against new and changing threats. Signature-based tools "are not up to this job," Klein writes in his post, and while heuristics-based solutions hold promise, additional research is required to train them to protect against future threats.
Recent ransomware events often include data theft in addition to just encrypting data. The Encrypting File System on Windows Pro/Enterprise editions encrypts individual files using a private key stored alongside certificates for that user account. The file is therefore unreadable by anyone except the logged-in user account. When you copy the file to a flash drive, it remains encrypted. The only way to read the file on another computer is to also copy the certificate + private key.
Since ransomware has absolutely no reason to jump through the hoops necessary to read the encrypted data directly off the drive (skipping the transparent decryption on read), and since it almost certainly isn't using SMB to transfer the files (it's not a great idea to expose SMB to the internet at all, its security is... outdated), the file contents will surely be decrypted by the OS before the malware uploads them.
Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result.
On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access.
Safebreach Labs tested whether or not EFS could be exploited by creating its own ransomware variant employing tactics including the generation of keys and certificates. To begin the attack chain, the ransomware created both and then added the certificate to the personal certificate store, assigning the new key to act as the current EFS key, and invoked it on the files or folders destined for deletion.
If possible, the malware would then wipe slack parts of the disk, followed by the encryption of the key file data using a hard-wired public key in the ransomware. At this point, it could also be possible to send stolen information to an attacker's command-and-control (C2) center.
According to the researchers, the encryption activities of EFS-based ransomware take place in the kernel and as the NTFS driver is in play, may also go unnoticed by file-system filter drivers. No human interaction or administration rights are required.
"It is clear that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay," the researchers say. "Signature-based solutions are not up to this job, heuristics-based (and even more so -- generic technology-based) solutions seem more promising, but additional proactive research is required in order to "train" them against future threats."
"We put three anti-ransomware solutions from well-known vendors [ESET, Kaspersky, Microsoft] to the test against our EFS ransomware," Klein wrote. "All three solutions failed to protect against this threat."
While EFS has been used by malware writers in the past to conceal their attacks from security tools, SafeBreach believes this is the first time a tech encryption tool has been shown to be of use for ransomware attacks.
SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.
Ultimately, however, SafeBreach sees the report as a call for anti-ransomware developers to step up their game in the face of more sophisticated attacks. Just as anti-malware tools had to supplement signature-based detection with other methods, so will ransomware-busting tools.
"It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay," Klein concluded.
To show that EFS ransomware could be a feasible threat, the researchers tested their sample on three security solutions with anti-ransomware capabilities from ESET (Internet Security 12.1.34.0), Kaspersky (Anti Ransomware Tool for Business 4.0.0.861a), and Microsoft (Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809, build 17763).
This prompted the researchers to present their findings to 17 other anti-malware and anti-ransomware vendors for Windows. Many of them have already implemented a workaround or a fix that rolled out to customer endpoints. A list of their responses is available at the bottom of the article.
Firstly, the ransomware will generate the key to be used by EFS, using AdvApi32!CryptGenKey. It then generates a certificate using Crypt32!CertCreateSelfSignCertificate, and adds it to the certificate store. It sets the current EFS key to this store, and then invokes AdvApi32!EncryptFile on every file to be encrypted. 2ff7e9595c
Comments