Security researchers today published the details of how a ransomware attack could abuse the Windows Encrypting File System (EFS). Several major security vendors have released patches to protect machines from this attack after anti-malware tools failed to defend against the technique.
The discovery comes from SafeBreach Labs, where researchers were brainstorming new, more sophisticated ways to implement ransomware. "It's important we understand what can be done so we can develop better controls around it," says co-founder and CTO Itzik Kotler. One of their goals was to find attack vectors that today's defenses lack capabilities to defend against.
Starting in Windows 2000, Microsoft began to offer EFS to business customers using the Windows Pro, Professional, Business, Ultimate, Enterprise, and Education editions. EFS enables encryption of specific folders and files keyed to the Windows user. Encryption and decryption are done in the NTFS driver, under the file system filter drivers. Part of the encryption key is stored in a file the user can access; part is computed from the account password. EFS should not be confused with BitLocker, which is a full-disk encryption feature.
Researchers created their concept ransomware in a lab environment to test whether antivirus software could defend against it. Because this malware uses EFS functionality, as opposed to the typical ransomware tactic of overwriting the file, it uses a different set of system calls.
"We thought there was good potential there for completely evading security controls," says Amit Klein, vice president of security research. "Indeed, that turned out to be the case."
The malware they developed first generates a key to be used by EFS, as well as ..
Support the originator by clicking the read the rest link below.
