EFS-Based Ransomware is a Real and Tangible Danger

• SafeBreach created new ransomware that utilizes the Windows EFS system. 
• The team tested their creation against three AV tools, and all failed to detect the threat. 
• All vendors, as well as Microsoft, have been notified with the PoC, and some have already pushed fixes. 

The Windows EFS (Encryption File System) is a feature that enables the user to implement filesystem-level encryption and to enjoy higher levels of protection from malicious actors. What if someone could utilize this feature though, and turn it against the user by using EFS-based ransomware? This is exactly what the brains on SafeBreach Labs thought, and they created this novel type of ransomware to test it against three widely-used AV tools. Their ransomware targets specific files and folders, just like a regular strain would do, using a unique key but relying on the EFS encryption mechanism to do the dirty job.

More specifically, the ransomware created by SafeBreach generates a key using the "AdvApi32!CryptGenKey", and then generates a certificate for this key using "Crypt32". Through a series of invokes and steps, the EFS encrypts the selected data and then wipes the unencrypted originals. Similarly, the temporary files used by "EncryptFile" are also deleted after the process is completed. Finally, the ransomware encrypts the key file using a public asymmetric key that is hard-wired into the malware, and then sends the encrypted data to the attacker. As only the actor holds the key, the victim's only hope to restore the encrypted files lies in paying the ransom. 

The team tested their creation on Windows 10 64-bit version 1803, 1809, and 1903, and it worked as predicted on all of them. As the EFS ransomware operates at a deep level of the kernel, encrypting files at the NTFS driver level, there are no admin rights required and no need for any user interactions. The team believes that their creation would work well on 32-bit systems too, and also on Windows 8.x, Windows 7, and Vista.

When testing the EFS ransomware with AV tools and protection solutions, the researchers figured that none was able to detect and stop it. More specifically, they tested ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861(a), and Microsoft Windows 10 Controlled Folder Access (build 17763). Based on this, SafeBreach decided to send the PoC to all major vendors of AV tools and allow them the time to incorporate malicious EFS encryption detection onto their products. Those who claim to have fixed their products and are now able to detect and stop the EFS ransomware are:

• Avast/AVG
• BitDefender (only reports)
• ESET
• F-Secure (already detected it)
• IObit
• Kaspersky
• Panda Security
• Sophos
• Symantec
• TrendMicro (working on it)

As a workaround, users are advised to turn off the EFS if it's not needed, so as to prevent an EFS ransomware from wreaking havoc on your device. This is a big step in ransomware development that enables researchers and AV vendors to realize that thinking out of the box before the crooks do it is crucial.