Ransomware is a serious threat to individuals, SOHOs/SMBs and large enterprises. Consequently, many security solutions are now available, which attempt to address the ransomware threat. In this blog post we describe EFS-based ransomware (ransomware which abuses the Windows Encrypting File System), which is a new concept we developed in Safebreach Labs. We put 3 anti-ransomware solutions from well-known vendors to the test against our EFS ransomware. All 3 solutions failed to protect against this threat. We then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided them our PoC, and discovered that many products were affected. Most affected vendors deployed updates to address this new technique. We conclude that the EFS ransomware is an alarming concept and a possible new threat in the ransomware horizon.
“Ransomware is a type of malicious software […] that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. [Modern ransomware] uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.” (from Wikipedia - https://en.wikipedia.org/wiki/Ransomware).
Here are several high-profile examples of the damage ransomware has inflicted::
The Windows operating system (starting with Windows 2000) offers a feature called EFS (Encrypting File System) for its business users (the Pro, Professional, Business, Ultimate, Enterprise and Education editions, depending on the Windows version). This feature enables the encryption of specific folders and files, keyed to the Windows user. The encryption/decryption is carried out in the NTFS driver, under the file system filter drivers. Encryption/decryption is transparent to the user – part of the key is stored in a file that is accessible to the user and part of the key is computed from the user’s account password. Thus the user does not need to provide a password for EFS to work.
EFS is not to be confused with BitLocker. BitLocker is a full disk encryption feature, while EFS selectively encrypts folders and files. With BitLocker, the disk needs to be decrypted prior to booting and in order to decrypt the disk, the user needs to type the password (or plug in a USB key or have BitLocker use TPM if the device has one) during the pre-boot stage. .
EFS ransomware basics
EFS can be used to implement the following interesting kind of ransomware:
The ransomware can now encrypt the key file data collected in step 5, for example, using an asymmetric (public) key hard-wired into the ransomware and send the encrypted data to the attacker directly (or instruct the victim to do so).
To restore the files, the attacker needs to decrypt the key files using the attacker’s private key and have the malware restore them to their original position. Once this takes place, Windows can once again read the user files.
Note that one of the key files is under %APPDATA%, that is, under the user’s profile. If the user has a roaming profile defined, the files in the user’s profile are merged back to the central network server upon logout (https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx). However, the EFS ransomware deletes this key file before logout so the key file is not saved to the network.
The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista).
We tested the following anti-ransomware solutions/features:
We ran our EFS ransomware on virtualized Windows 10 machines, each with a folder of ~600MB of user files (a combination of JPG, PNG, MP4, DOC, XLS, DOCX, XLSX, SQL, CSV files of various names and sizes, with meaningful data in them), which was designated for protection (if relevant for the tested solution/feature).
All 3 products failed to protect the files from our EFS ransomware.
Based on these results, we decided to contact major vendors in the endpoint (Windows) and anti-ransomware (and anti-malware) market. We provided them with our advisory and PoC code, so that they could test their products and ensure they’re providing adequate protection against this new technique. The results are summarized below. Kudos to Avast who decided to award us with a \$1000 bounty, even though we didn’t apply for one.
A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration to 1 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpef/0382ec4d-bfa9-46c9-a99a-1f2e042938c0). Group Policy can be used for enterprise-wise disabling of EFS.
Of course, this will disable EFS for the entire machine, so if EFS was used (legitimately), it too will be disabled.
In this research we demonstrated that ransomware can evolve in an alarming direction, including using built-in file encryption features in the operating system – namely abusing Windows EFS. Many security offerings from major Windows endpoint security vendors are affected, and needed updates to address this new technique.
It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay. Signature-based solutions are not up to this job, heuristics-based (and even more so – generic technology-based) solutions seem more promising, but additional proactive research is required in order to “train” them against future threats.
Many thanks to Itai Browarnik and Peleg Hadar for their help in testing the EFS ransomware against the anti-ransomware solutions/features.