This article is more than 1 year old

WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

Redmond's own security tools could be abused by hard-to-block file-scrambling software nasties

The encryption technology Microsoft uses to protect Windows file systems can be exploited by ransomware.

So says the research team at Safebreach Labs, which has demonstrated how file-scrambling software nasties can not only tap into the Windows Encrypting File System but also avoid anti-malware tools.

Safebreach veep of research Amit Klein and his team crafted proof-of-concept code that uses EFS to force a PC to encrypt its own data using an attacker-supplied key. The key is then flushed from the computer's memory, leaving miscreants with the sole means for decrypting a victim's information.

The benefit of this, explained Klein, is an infection that is not only hard to spot and block, but can also be more easily automated, and executed without administrator clearance.

"We put three anti-ransomware solutions from well-known vendors [ESET, Kaspersky, Microsoft] to the test against our EFS ransomware," Klein wrote. "All three solutions failed to protect against this threat."

While EFS has been used by malware writers in the past to conceal their attacks from security tools, SafeBreach believes this is the first time a tech encryption tool has been shown to be of use for ransomware attacks.

SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.

Admins can also manually disable EFS via registry key settings, or use a Data Recovery Agent to recover files.

Ultimately, however, SafeBreach sees the report as a call for anti-ransomware developers to step up their game in the face of more sophisticated attacks. Just as anti-malware tools had to supplement signature-based detection with other methods, so will ransomware-busting tools.

"It is clear, therefore, that in the face of the expected evolution of ransomware, that new anti-ransomware technologies need to be developed if the ransomware threat is to be contained and kept at bay," Klein concluded.

"Signature-based solutions are not up to this job, heuristics-based (and even more so – generic technology-based) solutions seem more promising, but additional proactive research is required in order to 'train' them against future threats." ®

More about


Send us news

Other stories you might like