Windows EFS Feature May Help Ransomware Attackers

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 4, 2016
2,516
15,624
3,578
53
Germany / Poland
Content source
https://www.bleepingcomputer.com/news/security/windows-efs-feature-may-help-ransomware-attackers/
Security researchers have created concept ransomware that takes advantage of a feature in Windows that encrypts files and folders to protect them from unauthorized physical access to the computer. The lab-developed ransomware strain relies on the Encrypting File System (EFS) component in Microsoft's operating system and can run undetected by some antivirus software.

Abusing a legitimate feature

EFS allows users to encrypt specific files and folders with a symmetric key known as File Encryption Key, which is then encrypted with a public key (asymmetric encryption). This process and its reversal is done at a layer below the NT file system (NTFS).
... ....
...
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: SunMan09, HarborFront, catjc and 8 others
RKRN3 said:
EFS is present from Windows 2000 and beyond, including XP. I know Microsoft will patch it in 8.1 and 10, but not on older OSs. Also, I use Avast (which doesn't support XP anymore) which already has patched it.
Click to expand...


You will notice that I wrote my OS W.XP.


....The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista).......
Click to expand...

....The Windows operating system (starting with Windows 2000) offers a feature called EFS (Encrypting File System) for its business users (the Pro, Professional, Business, Ultimate, Enterprise and Education editions, depending on the Windows version)........
Click to expand...

_________________________________________

......The support of EFS is not available in Basic, Home, and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate, and Server versions of Windows or by using enterprise deployment tools within Windows domains......
Click to expand...

NTFS - Wikipedia

en.wikipedia.org en.wikipedia.org

P.S.
This is not my area of expertise.

.....Only in W.10 has EFS support on FAT been added.....
Click to expand...

Encrypting File System - Wikipedia

en.wikipedia.org en.wikipedia.org

So probably EFS on FAT32 doesn't work.
My FS is in FAT32 to be less compatible for new threats.

I would be very interested if some member of MT who is competent in this sector can have his say, even if I refute my hypothesis we would miss him.(y)(y);)
 
Last edited:
  • Like
Reactions: [correlate], catjc, Outpost and 1 other person
RKRN3 said:
Running (Manual).
Click to expand...

It is also present in my W.10 Home but the service is stopped:

Immagine.jpg

Guys I disabled it.
Start the service is also possible from SUA.(n)
Remember if you can do it from SUA, malware can do it too.
So I disabled it.

Curious, when I started the service I couldn't stop it.
I had to use the administrator prompt:

sc config EFS start= demand

reboot pc
 
  • Like
Reactions: [correlate], catjc, Captain Awesome and 3 others
Sampei Nihira said:
Guys I disabled it.
Start the service is also possible from SUA.(n)
Remember if you can do it from SUA, malware can do it too.
So I disabled it.
Click to expand...
What you mean by you can start it from SUA, You can access services panel from SUA and change the services?
 
Last edited by a moderator:
  • Like
Reactions: [correlate] and upnorth
Umbra said:
Maybe with UAC at default, but if set at max or in my case, with a setting that prevent execution of admin tools in SUA, it won't be possible.
Click to expand...

My UAC is always on.

But frankly I don't remember, now, if I opened the prompt window to access the services, as administrator.:rolleyes:

And now that I have disabled it, I don't want to repeat the whole procedure.
You have to try it, Umbra.;)
Also because I was surprised that once the service started it could not be stopped.(n)

I insert 2 images below from SUA and Administrator:

SUA
Immagine.jpg


Administrator:

Immagine1.jpg


As you can see a potential malware at least initially can only modify, as an administrator, the service.
Don't start it.
 
Last edited:
  • Like
Reactions: [correlate]
Sampei Nihira said:
My UAC is always on.

But frankly I don't remember, now, if I opened the prompt window to access the services, as administrator.:rolleyes:
Click to expand...
i think you did.

And now that I have disabled it, I don't want to repeat the whole procedure.
You have to try it, Umbra.;)
Click to expand...
no thanks, im lazy as well to disable all my security settings just to cross-check LOL

Also because I was surprised that once the service started it could not be stopped.(n)
Click to expand...
indeed, surprising


I insert 2 images below from SUA and Administrator:
As you can see a potential malware at least initially can only modify, as an administrator, the service.
Don't start it.
Click to expand...
Yes i was intrigued how you could manipulate a service from SUA, shouldn't be possible.
 
  • Like
Reactions: [correlate] and harlan4096
Sampei Nihira said:
Any W.XP OS with FS FAT32 is immune to the problem.
So my choice after 2014 to have an unusual FS is paying off.
Click to expand...
I will say all those PoC are made with the OS at default, if hardened or protected by some softs, many of them will be countered whatever the OS.
For example, if you didn't hardened or tweaked your XP, it would be extremely risky to use it in our time.
XP was made in an era where the most virulent malware were just backdoors (Subseven, etc...).
 
  • Like
Reactions: [correlate] and harlan4096
Umbra said:
i think you did.


no thanks, im lazy as well to disable all my security settings just to cross-check LOL


indeed, surprising



Yes i was intrigued how you could manipulate a service from SUA, shouldn't be possible.
Click to expand...


Umbra I did a try again.
I opened the fax service from SUA.
This service is in the same conditions as EFS.

As you see "manual" "stopped" but with the "start" button available:

100.jpg


And I'm ready to bet that from SUA I can start the fax service without UAC.

Follow my advice, turn off the EFS service.;)

P.S.
I'm sure then I couldn't stop the service because I was in SUA.
But being able to start it is very worrying.
 
Last edited:
  • Like
Reactions: [correlate], RKRN3 and harlan4096
On the off chance anyone wanted to retain EFS usage for Administrators but prevent Standard Users from making use of the service you could also adjust the SDDL to remove user access to the EFS service.

I made a simple .inf for the EFS service via mmc and applied it using LGPO. After a reboot I could use encryption from an Administrator account but Standard Users would get an access denied even if the service was already running.
Code: 
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"EFS",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;SU)S:(AU;SAFA;DCSDWDWO;;;WD)"

It basically just removed some potentially problematic rights for App Packages (AppX), Authenticated Users & Interactive Users leaving just Administrators, Service and System rights intact. You could also do the same from a System integrity CMD prompt via nsudo (or similar) using SC just don't forget to reboot.
Code: 
SC SDSET EFS D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;SU)S:(AU;SAFA;DCSDWDWO;;;WD)
 
  • Like
Reactions: Sampei Nihira
You must log in or register to reply here.

You may also like...