WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

The encryption technology Microsoft uses to protect its own file system could also be turned into a weapon for ransomware attackers.

So says the research team at Safebreach Labs, which has demonstrated how ransomware based on the Windows Encrypting File System could prove difficult for anti-malware tools to spot and block.

Safebreach veep of research Amit Klein and his team wrote a proof-of-concept attack that uses EFS combined with an attacker-generated key (from the ransomware infection) to force a PC to encrypt its own data. The keys are then flushed from the PC’s memory, leaving the attacker with the sole means for decrypting information.

The benefit of this, explained Klein, is an attack that is not only hard to spot and decode, but can also be more easily automated, executed without administrator clearance, and spread more easily than conventional ransomware infections.

“We put three anti-ransomware solutions from well-known vendors [ESET, Kaspersky, Microsoft] to the test against our EFS ransomware,” Klein wrote. “All three solutions failed to protect against this threat.”

While EFS has been used by malware writers in the past to conceal their attacks from security tools, SafeBreach believes this is the first time a tech encryption tool has been shown to be of use for ransomware attacks.

SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.

Admins can also manually disable EFS via registry key settings, or use a Data Recovery Agent to recover files.

Ultimately, however, SafeBreach sees the report as a call for anti-ransomware developers to step up their game in the face of more sophisticated attacks. Just as anti-malware tools had to supplement signature-based detection with other methods, so will ransomware-busting tools.

“It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay,” Klein concluded.

“Signature-based solutions are not up to this job, heuristics-based (and even more so – generic technology-based) solutions seem more promising, but additional proactive research is required in order to ‘train’ them against future threats.” ®

Sponsored: Detecting cyber attacks as a small to medium business