Safebreach Labs reported that attackers could use the Windows Encrypting File System (EFS) for their needs. Windows EFS can help encryptors and make work of antiviruses more difficult.EFS has been part of Windows operating systems since the release of Windows 2000. Unlike full BitLocker encryption, EFS can selectively encrypt individual files or folders. Researchers are now warning that EFS present significant interest to criminals.
“The fact is that using the “native” functions of Windows itself can be confusing for security solutions that will eventually lose sight of the encryptor”, — says Safebreach Labs researchers.
To start the attack, the ransomware will need to generate a key for EFS using AdvApi32! CryptGenKey. Next, generated the certificate using Crypt32! CertCreateSelfSignCertificate that is added to the certificate store via Crypt32! CertAddCertificateContextToStore. An EFS key is assigned for this certificate using AdvApi32! SetUserFileEncryptionKey.
As a result, the ransomware gets the opportunity to use AdvApi32! EncryptFile to encrypt any file and folder. The next step is to save the key file to memory and delete it from %APPDATA% \Microsoft\Crypto\RSA\[user SID]\ and %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\. Then the EFS data is erased from memory using the undocumented AdvApi32! FlushEfsCache and the encrypted files become unreadable to the user and the OS. The ransomware can also “wipe” free parts of the disk to ensure that data from deleted key files and temporary files are not restored.
“With a final chord, the malware can encrypt the key file data and send the decryption key to the attacker. As a result, the only way to decrypt the affected files is to use the private key of the attacker”, – report experts of Safebreach Labs.
Researchers successfully tested the EFS encryptor created for tests on 64-bit versions of Windows 10 1803, 1809, and 1903. Analysts also write that the malware should work with 32-bit versions of Windows and earlier versions of the OS (Windows 8.x, Windows 7 and Windows Vista).
The malware was tested in combination with ESET Internet Security 22.214.171.124, Kaspersky Anti Ransomware Tool for Business 126.96.36.1991 (a), as well as MS Windows 10 Controlled Folder Access in the 64-bit version of Windows 10 1809 (build 17763). None of these solutions detected an attack and a threat, but this was expectable because the cryptographer used legitimate functions and manipulated system logic.
Researchers immediately informed 17 major manufacturers of security solutions about their findings, showing them their proof-of-concept. Most of them have recognized the existence of the problem and have already made corrections to their products.
Recently, Windows faced a true plaque. The NSA said it found one of the most dangerous vulnerabilities in Windows, only yesterday a temporary patch for a serious bug appeared in IE.
Turn off your system and leave into the desert. Ok, it was a joke. Keep up your system up to date with the latest information security solutions. I am sure you know which one will for sure protect you!