Windows EFS Feature May Help Ransomware Attackers

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Security researchers have created concept ransomware that takes advantage of a feature in Windows that encrypts files and folders to protect them from unauthorized physical access to the computer. The lab-developed ransomware strain relies on the Encrypting File System (EFS) component in Microsoft's operating system and can run undetected by some antivirus software.

Abusing a legitimate feature

EFS allows users to encrypt specific files and folders with a symmetric key known as File Encryption Key, which is then encrypted with a public key (asymmetric encryption). This process and its reversal is done at a layer below the NT file system (NTFS).
... ....
...
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
EFS is present from Windows 2000 and beyond, including XP. I know Microsoft will patch it in 8.1 and 10, but not on older OSs. Also, I use Avast (which doesn't support XP anymore) which already has patched it.


You will notice that I wrote my OS W.XP.


....The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista).......

....The Windows operating system (starting with Windows 2000) offers a feature called EFS (Encrypting File System) for its business users (the Pro, Professional, Business, Ultimate, Enterprise and Education editions, depending on the Windows version)........

_________________________________________

......The support of EFS is not available in Basic, Home, and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate, and Server versions of Windows or by using enterprise deployment tools within Windows domains......


P.S.
This is not my area of expertise.

.....Only in W.10 has EFS support on FAT been added.....


So probably EFS on FAT32 doesn't work.
My FS is in FAT32 to be less compatible for new threats.

I would be very interested if some member of MT who is competent in this sector can have his say, even if I refute my hypothesis we would miss him.(y)(y);)
 
Last edited:

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Running (Manual).

It is also present in my W.10 Home but the service is stopped:

Immagine.jpg

Guys I disabled it.
Start the service is also possible from SUA.(n)
Remember if you can do it from SUA, malware can do it too.
So I disabled it.

Curious, when I started the service I couldn't stop it.
I had to use the administrator prompt:

sc config EFS start= demand

reboot pc
 
F

ForgottenSeer 823865

Guys I disabled it.
Start the service is also possible from SUA.(n)
Remember if you can do it from SUA, malware can do it too.
So I disabled it.
What you mean by you can start it from SUA, You can access services panel from SUA and change the services?
 
Last edited by a moderator:

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Maybe with UAC at default, but if set at max or in my case, with a setting that prevent execution of admin tools in SUA, it won't be possible.

My UAC is always on.

But frankly I don't remember, now, if I opened the prompt window to access the services, as administrator.:rolleyes:

And now that I have disabled it, I don't want to repeat the whole procedure.
You have to try it, Umbra.;)
Also because I was surprised that once the service started it could not be stopped.(n)

I insert 2 images below from SUA and Administrator:

SUA
Immagine.jpg


Administrator:

Immagine1.jpg


As you can see a potential malware at least initially can only modify, as an administrator, the service.
Don't start it.
 
Last edited:
  • Like
Reactions: [correlate]
F

ForgottenSeer 823865

My UAC is always on.

But frankly I don't remember, now, if I opened the prompt window to access the services, as administrator.:rolleyes:
i think you did.

And now that I have disabled it, I don't want to repeat the whole procedure.
You have to try it, Umbra.;)
no thanks, im lazy as well to disable all my security settings just to cross-check LOL

Also because I was surprised that once the service started it could not be stopped.(n)
indeed, surprising


I insert 2 images below from SUA and Administrator:
As you can see a potential malware at least initially can only modify, as an administrator, the service.
Don't start it.
Yes i was intrigued how you could manipulate a service from SUA, shouldn't be possible.
 
F

ForgottenSeer 823865

Any W.XP OS with FS FAT32 is immune to the problem.
So my choice after 2014 to have an unusual FS is paying off.
I will say all those PoC are made with the OS at default, if hardened or protected by some softs, many of them will be countered whatever the OS.
For example, if you didn't hardened or tweaked your XP, it would be extremely risky to use it in our time.
XP was made in an era where the most virulent malware were just backdoors (Subseven, etc...).
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
i think you did.


no thanks, im lazy as well to disable all my security settings just to cross-check LOL


indeed, surprising



Yes i was intrigued how you could manipulate a service from SUA, shouldn't be possible.


Umbra I did a try again.
I opened the fax service from SUA.
This service is in the same conditions as EFS.

As you see "manual" "stopped" but with the "start" button available:

100.jpg


And I'm ready to bet that from SUA I can start the fax service without UAC.

Follow my advice, turn off the EFS service.;)

P.S.
I'm sure then I couldn't stop the service because I was in SUA.
But being able to start it is very worrying.
 
Last edited:

Syrinx

Level 1
Dec 31, 2019
12
On the off chance anyone wanted to retain EFS usage for Administrators but prevent Standard Users from making use of the service you could also adjust the SDDL to remove user access to the EFS service.

I made a simple .inf for the EFS service via mmc and applied it using LGPO. After a reboot I could use encryption from an Administrator account but Standard Users would get an access denied even if the service was already running.
Code:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"EFS",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;SU)S:(AU;SAFA;DCSDWDWO;;;WD)"

It basically just removed some potentially problematic rights for App Packages (AppX), Authenticated Users & Interactive Users leaving just Administrators, Service and System rights intact. You could also do the same from a System integrity CMD prompt via nsudo (or similar) using SC just don't forget to reboot.
Code:
SC SDSET EFS D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;SU)S:(AU;SAFA;DCSDWDWO;;;WD)
 
  • Like
Reactions: Sampei Nihira

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top