{"id":32909,"date":"2020-01-21T16:45:02","date_gmt":"2020-01-21T16:45:02","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/30861\/Antivirus-Vendors-Push-Fixes-For-EFS-Ransomware-Attack-Method.html"},"modified":"2020-01-21T16:45:02","modified_gmt":"2020-01-21T16:45:02","slug":"antivirus-vendors-push-fixes-for-efs-ransomware-attack-method","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/antivirus-vendors-push-fixes-for-efs-ransomware-attack-method\/","title":{"rendered":"Antivirus Vendors Push Fixes For EFS Ransomware Attack Method"},"content":{"rendered":"
<\/div>\n

Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result. <\/p>\n

On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation<\/a> into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access. <\/p>\n

A lab-based exploration of EFS, developed by Microsoft as an NTFS alternative to full disk encryption provided by BitLocker in order to encrypt individual files or directories, found that major antivirus solutions might not protect the system. <\/p>\n

In a blog post<\/a>, Safebreach Labs said that after testing three major anti-ransomware solutions offered by cybersecurity vendors, all three failed to stop attacks. <\/p>\n

TechRepublic: <\/strong>Why baby boomers are looking to IoT and analytics to stay safe<\/a><\/p>\n

The security solutions tested were ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861(a), and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) using a virtual Windows 10 machine loaded up with a variety of different content and file types.  <\/p>\n

Safebreach Labs tested whether or not EFS could be exploited by creating its own ransomware variant employing tactics including the generation of keys and certificates. To begin the attack chain, the ransomware created both and then added the certificate to the personal certificate store, assigning the new key to act as the current EFS key, and invoked it on the files or folders destined for deletion. <\/p>\n

\n<\/section>\n

The next step involved saving the key file to memory and deleting it from %APPDATA% \\Microsoft\\Crypto\\RSA\\[user SID]\\ and %ProgramData%\\Microsoft\\Crypto\\RSA\\MachineKeys\\. EFS data was then flushed from memory, which made sure the “encrypted files become[s] unreadable to the user (and operating system),” according to the team. <\/p>\n

See also: <\/strong>JhoneRAT exploits cloud services to attack Middle Eastern countries<\/a><\/p>\n

If possible, the malware would then wipe slack parts of the disk, followed by the encryption of the key file data using a hard-wired public key in the ransomware. At this point, it could also be possible to send stolen information to an attacker’s command-and-control (C2) center. <\/p>\n

According to the researchers, the encryption activities of EFS-based ransomware take place in the kernel and as the NTFS driver is in play, may also go unnoticed by file-system filter drivers. No human interaction or administration rights are required. <\/p>\n

However, padlock icons are shown when files are encrypted — which may give victims an indication that all is not well — and if Data Recovery Agent is enabled, recovery can be “trivial,” the team says.<\/p>\n

Safebreach Labs developed Proof of Concept (PoC) code and provided this, together with a report, to 17 cybersecurity vendors. As a result, the team realized more products were affected than originally thought. <\/p>\n

Below is the rundown on each vendor, their susceptibility, and any actions taken:<\/p>\n