Amit Klein, VP Security Research
Ransomware is a serious threat to individuals, SOHOs/SMBs and large enterprises. Consequently, many security solutions are now available, which attempt to address the ransomware threat. In this blog post we describe EFS-based ransomware (ransomware which abuses the Windows Encrypting File System), which is a new concept we developed in Safebreach Labs. We put 3 anti-ransomware solutions from well-known vendors to the test against our EFS ransomware. All 3 solutions failed to protect against this threat. We then notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints, provided them our PoC, and discovered that many products were affected. Most affected vendors deployed updates to address this new technique. We conclude that the EFS ransomware is an alarming concept and a possible new threat in the ransomware horizon.
“Ransomware is a type of malicious software […] that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. [Modern ransomware] uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.” (from Wikipedia - https://en.wikipedia.org/wiki/Ransomware).
Here are several high-profile examples of the damage ransomware has inflicted::
EFS Ransomware Explained
The Windows operating system (starting with Windows 2000) offers a feature called EFS (Encrypting File System) for its business users (the Pro, Professional, Business, Ultimate, Enterprise and Education editions, depending on the Windows version). This feature enables the encryption of specific folders and files, keyed to the Windows user. The encryption/decryption is carried out in the NTFS driver, under the file system filter drivers. Encryption/decryption is transparent to the user – part of the key is stored in a file that is accessible to the user and part of the key is computed from the user’s account password. Thus the user does not need to provide a password for EFS to work.
EFS is not to be confused with BitLocker. BitLocker is a full disk encryption feature, while EFS selectively encrypts folders and files. With BitLocker, the disk needs to be decrypted prior to booting and in order to decrypt the disk, the user needs to type the password (or plug in a USB key or have BitLocker use TPM if the device has one) during the pre-boot stage. .
EFS ransomware basics
EFS can be used to implement the following interesting kind of ransomware:
To restore the files, the attacker needs to decrypt the key files using the attacker’s private key and have the malware restore them to their original position. Once this takes place, Windows can once again read the user files.
Note that one of the key files is under %APPDATA%, that is, under the user’s profile. If the user has a roaming profile defined, the files in the user’s profile are merged back to the central network server upon logout (https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx). However, the EFS ransomware deletes this key file before logout so the key file is not saved to the network.
The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista).
EFS-Ransomware vs. Anti-Ransomware Solutions
We tested the following anti-ransomware solutions/features:
We ran our EFS ransomware on virtualized Windows 10 machines, each with a folder of ~600MB of user files (a combination of JPG, PNG, MP4, DOC, XLS, DOCX, XLSX, SQL, CSV files of various names and sizes, with meaningful data in them), which was designated for protection (if relevant for the tested solution/feature).
All 3 products failed to protect the files from our EFS ransomware.
Based on these results, we decided to contact major vendors in the endpoint (Windows) and anti-ransomware (and anti-malware) market. We provided them with our advisory and PoC code, so that they could test their products and ensure they’re providing adequate protection against this new technique. The results are summarized below. Kudos to Avast who decided to award us with a $1000 bounty, even though we didn’t apply for one.
|Avast/AVG||Anti Virus||From a vendor email (September 26th, 2019): “we implemented a workaround for version 19.8” (https://forum.avast.com/index.php?topic=229461.0)|
|Avira||Anti Virus||From a vendor email (November 20th, 2019): “Avira statement - EFS Encryption:
Avira is deeply appreciative of the work performed by external testers and bug hunters. This process of uncovering vulnerabilities, informing developers about them, and remediating the issue within a given timeframe makes the internet a safer place to work and play. On a local level, we value – and have rewarded – those uncovering bugs within Avira products.
As software continues to become more complex, we realize that cooperation and automation are essential. This is why we value the work of the Open Security Consortium (OCA), as part of the OASIS open source standards organization, to come up with common standards for security tools to present data and communicate with one another. Automated breach and attack simulation tools such as those developed by SafeBreach can also be an important way to cut through the plethora of software and potential vulnerabilities.
Thanks to the SafeBreach proof of concept for using EFS Encryption to bypass Avira, we have taken an exhaustive look at this potential vulnerability.
Avira takes a wide-ranging look what malware looks like, how it might behave, and the various scenarios under which users will encounter it as we develop our detection strategies. While we value the reports of this potential vulnerability, we believe that this potential bypass which is dependent upon a customized use scenario is not a realistic ‘failure point.’ “
|Bitdefender||Bitdefender Free Edition
Bitdefender Internet Security
Bitdefender Total Security
|From a vendor email (January 10th, 2020): “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 18.104.22.168.
On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tunning [sic] in the future.”
Corporate Endpoint Client
Zone Alarm Anti-Ransomware
|From a vendor email (January 20th, 2020): “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”|
|D7xTech||CryptoPrevent Anti Malware||Vendor notified July 5th, product status unknown.|
|ESET||Products containing Ransomware Shield technology||From a vendor email (January 19th, 2020), “In June of 2019, ESET was made aware of a possible security bypass of its consumer, business and server products for Windows via the standard Windows API EncryptFile. ESET was able to validate the underlying method used to administer this attack. We are now rolling out an update to mitigate the bypass and would like to kindly ask all customers to refer to Customer Advisory 2020-0002 for more information on mitigation options regarding the bypass published in this report.”|
|F-Secure||F-Secure Internet Security (with DeepGuard)
|According to a vendor email (July 31st, 2019), this is already detected as Suspicious:W32/Malware!Online and Trojan.TR/Ransom.Gen.|
|GridinSoft||GS Anti-Ransomware [beta]||From a vendor email (October 9th, 2019): “We have a free beta-test version of the program released in 2016. Since then it has not been updated and the main release version of the product has not been published. Since the program was last updated in 2016, it is more than logical that it protects against those ransomware families that were popular until 2016.”|
|IObit||Malware Fighter||According to a vendor email (October 9th, 2019), a fix is now available in version 7.2.|
Kaspersky Internet Security
Kaspersky Total Security
Kaspersky Free Anti-Virus
Kaspersky Small Office Security
Kaspersky Security Cloud
Kaspersky Endpoint Security
Kaspersky Anti-Ransomware Tool for Business
|According to a vendor email (October 7th, 2019), all the products were updated to protect against the technique.|
|McAfee||Endpoint products||From a vendor email (January 17th, 2020): “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware.
Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
|Microsoft||Windows Controlled Folder Access||From a vendor email (October 7th, 2019): "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".|
|Panda Security||Panda Adaptive Defense
Panda Dome Advanced
|From vendor emails (September 26th, 2019, October 11th, 2019): “Our protection approach for the Panda Adaptive Defense product line is not based on patterns but on classifying all the files/processes running at the end-point. Thus, any attack using unknown files/processes will be detected and blocked.”
“The way the “protection against ransomware” works in Panda Dome is by selecting the directories to protect. At those directories, only processes classified as goodware at our Panda detection cloud can modify the included/protected files. Thus, any unknown process/file accessing the protected directory will be blocked.”
|Sophos||Sophos Intercept X||From a vendor email (January 17th, 2020): “We’ve updated Sophos Intercept X, and all customers using this product are protected. Thanks again for your help on this.”|
|Symantec||Symantec Endpoint Protection||From a vendor email (October 7th, 2019): “We pushed out two detection signatures (SONAR.SuspBeh!gen697 and SONAR.SuspBeh!gen699 ) to mitigate the issue. Both of these signatures have been pushed out to all endpoints via our live update.”|
|From a vendor email (January 10th, 2020): “Trend Micro is currently researching and working on implementing some enhancements to our endpoint protection products with anti-ransomware capabilities to try and prevent these types of attacks (ETA still in development). In the meantime, we recommend disabling EFS if it is not in in [sic] use.”|
|Webroot||SecureAnywhere AV||From a vendor email (September 30th, 2019): “We appreciate SafeBreach bringing this new technique to our attention. At Webroot, security is our top priority and we analyse malware on a perpetual basis to ensure we’re aware of the ever changing tactics, techniques and processes used by cybercriminals. Our threat discovery process and the various protection shields within the Webroot endpoint solution leverage this threat intelligence. While we haven’t seen this technique used in the wild yet, we now can arm our threat researchers with intel to combat it in the future. We know collaboration is key and we openly engage with the cybersecurity community.”|
A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration to 1 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpef/0382ec4d-bfa9-46c9-a99a-1f2e042938c0). Group Policy can be used for enterprise-wise disabling of EFS.
Of course, this will disable EFS for the entire machine, so if EFS was used (legitimately), it too will be disabled.
In this research we demonstrated that ransomware can evolve in an alarming direction, including using built-in file encryption features in the operating system – namely abusing Windows EFS. Many security offerings from major Windows endpoint security vendors are affected, and needed updates to address this new technique.
It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay. Signature-based solutions are not up to this job, heuristics-based (and even more so – generic technology-based) solutions seem more promising, but additional proactive research is required in order to “train” them against future threats.
Many thanks to Itai Browarnik and Peleg Hadar for their help in testing the EFS ransomware against the anti-ransomware solutions/features.