Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result.
On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access.
A lab-based exploration of EFS, developed by Microsoft as an NTFS alternative to full disk encryption provided by BitLocker in order to encrypt individual files or directories, found that major antivirus solutions might not protect the system.
In a blog post, Safebreach Labs said that after testing three major anti-ransomware solutions offered by cybersecurity vendors, all three failed to stop attacks.
The security solutions tested were ESET Internet Security 22.214.171.124, Kaspersky Anti Ransomware Tool for Business 126.96.36.1991(a), and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) using a virtual Windows 10 machine loaded up with a variety of different content and file types.
Safebreach Labs tested whether or not EFS could be exploited by creating its own ransomware variant employing tactics including the generation of keys and certificates. To begin the attack chain, the ransomware created both and then added the certificate to the personal certificate store, assigning the new key to act as the current EFS key, and invoked it on the files or folders destined for deletion.
The next step involved saving the key file to memory and deleting it from %APPDATA% \Microsoft\Crypto\RSA\[user SID]\ and %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\. EFS data was then flushed from memory, which made sure the "encrypted files become[s] unreadable to the user (and operating system)," according to the team.
If possible, the malware would then wipe slack parts of the disk, followed by the encryption of the key file data using a hard-wired public key in the ransomware. At this point, it could also be possible to send stolen information to an attacker's command-and-control (C2) center.
According to the researchers, the encryption activities of EFS-based ransomware take place in the kernel and as the NTFS driver is in play, may also go unnoticed by file-system filter drivers. No human interaction or administration rights are required.
However, padlock icons are shown when files are encrypted -- which may give victims an indication that all is not well -- and if Data Recovery Agent is enabled, recovery can be "trivial," the team says.
Safebreach Labs developed Proof of Concept (PoC) code and provided this, together with a report, to 17 cybersecurity vendors. As a result, the team realized more products were affected than originally thought.
Below is the rundown on each vendor, their susceptibility, and any actions taken:
- Avast, Antivirus: "We implemented a workaround for version 19.8." Avast, too, provided the researchers with a $1000 bounty.
- Avira, Antivirus: "We have taken an exhaustive look at this potential vulnerability. While we value the reports of this potential vulnerability, we believe that this potential bypass which is dependent upon a customized use scenario is not a realistic 'failure point.'"
- Bitdefender: "As of today [January 10], the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 188.8.131.52. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine-tuning in the future."
- Check Point, SandBlast Agent | Zone Alarm: "Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days."
- D7xTech, CryptoPrevent Anti Malware: Vendor notified July 5th, status unknown.
- ESET, Ransomware Shield technology products: "In June of 2019, ESET was made aware of a possible security bypass of its consumer, business and server products for Windows via the standard Windows API EncryptFile. ESET was able to validate the underlying method used to administer this attack. We are now rolling out an update to mitigate the bypass and would like to kindly ask all customers to refer to Customer Advisory 2020-0002 for more information on mitigation options regarding the bypass published in this report."
- F-Secure, Internet Security (with DeepGuard) | SAFE: Already detected as suspicious: W32/Malware!Online and Trojan.TR/Ransom.Gen.
- GridinSoft, GS Anti-Ransomware [beta]: "We have a free beta-test version of the program released in 2016. Since then it has not been updated and the main release version of the product has not been published. Since the program was last updated in 2016, it is more than logical that it protects against those ransomware families that were popular until 2016."
- IObit, Malware Fighter: A fix is now available in version 7.2.
- Kaspersky (all): All the products were updated to protect against the technique.
- McAfee, Endpoint products: "McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface. Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware."
- Microsoft, Windows Controlled Folder Access: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense-in-depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider addressing this in a future product."
- Panda Security, Panda Adaptive Defense | Panda Dome Advanced: "Our protection approach for the Panda Adaptive Defense product line is not based on patterns but on classifying all the files/processes running at the end-point. Thus, any attack using unknown files/processes will be detected and blocked."
- Sophos, Intercept-X Endpoint | CryptoGuard: "We've updated Sophos Intercept X, and all customers using this product are protected."
- Symantec, Endpoint Protection: "We pushed out two detection signatures to mitigate the issue. Both of these signatures have been pushed out to all endpoints via our live update."
- TrendMicro, Apex One | RansomBuster: "Trend Micro is currently researching and working on implementing some enhancements to our endpoint protection products with anti-ransomware capabilities to try and prevent these types of attacks (ETA still in development). In the meantime, we recommend disabling EFS if it is not in [sic] use."
- Webroot, SecureAnywhere AV: "We appreciate SafeBreach bringing this new technique to our attention. While we haven't seen this technique used in the wild yet, we now can arm our threat researchers with intel to combat it in the future."
A possible workaround is for administrators to change registry keys to turn off EFS, as well as use Group Policy in enterprise settings. However, if EFS is in active and legitimate use, then disabling the setting may impact required file protections.
"It is clear that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay," the researchers say. "Signature-based solutions are not up to this job, heuristics-based (and even more so -- generic technology-based) solutions seem more promising, but additional proactive research is required in order to "train" them against future threats."
Previous and related coverage
- Travelex says some in-store systems are back up and running after ransomware attack
- This unusual new ransomware is going after servers
- New ransomware attacks target your NAS devices, backup storage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0