Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

Redmond's own security tools could be abused by hard-to-block file-scrambling software nasties

The encryption technology Microsoft uses to protect Windows file systems can be exploited by ransomware.

So says the research team at Safebreach Labs, which has demonstrated how file-scrambling software nasties can not only tap into the Windows Encrypting File System but also avoid anti-malware tools.

Safebreach veep of research Amit Klein and his team crafted proof-of-concept code that uses EFS to force a PC to encrypt its own data using an attacker-supplied key. The key is then flushed from the computer's memory, leaving miscreants with the sole means for decrypting a victim's information.

The benefit of this, explained Klein, is an infection that is not only hard to spot and block, but can also be more easily automated, and executed without administrator clearance.

"We put three anti-ransomware solutions from well-known vendors [ESET, Kaspersky, Microsoft] to the test against our EFS ransomware," Klein wrote. "All three solutions failed to protect against this threat."

While EFS has been used by malware writers in the past to conceal their attacks from security tools, SafeBreach believes this is the first time a tech encryption tool has been shown to be of use for ransomware attacks.

SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.

Admins can also manually disable EFS via registry key settings, or use a Data Recovery Agent to recover files.

Ultimately, however, SafeBreach sees the report as a call for anti-ransomware developers to step up their game in the face of more sophisticated attacks. Just as anti-malware tools had to supplement signature-based detection with other methods, so will ransomware-busting tools.

"It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay," Klein concluded.

"Signature-based solutions are not up to this job, heuristics-based (and even more so – generic technology-based) solutions seem more promising, but additional proactive research is required in order to 'train' them against future threats." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like