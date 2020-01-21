Company fired 300 employees for Christmas due to ransomware attack

Researchers have announced how ransomware-launched EFS attack systems that rely on signature-based antivirus solutions leave open to attacks, with major vendors pushing solutions to the left, right, and center.

On Tuesday, Amit Klein, VP of Security Research at Safebreach Labs, revealed an investigation into how the Windows Encrypting File System (EFS) can be misused by ransomware, a form of malware that encrypts systems and demands payment in exchange for restoring the access .

A laboratory-based EFS exploration, developed by Microsoft as an NTFS alternative to full disk encryption by BitLocker to encrypt individual files or folders, discovered that important antivirus solutions may not protect the system.

In a blog post, Safebreach Labs said that after testing three major anti-ransomware solutions offered by cyber security vendors, they could not stop all three attacks.

The security solutions tested were ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861 (a) and Microsoft Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763) using a Windows 10 virtual machine loaded with different content and file types.

Safebreach Labs tested whether or not EFS could be exploited by creating its own ransomware variant with tactics, including generating keys and certificates. To start the attack chain, the ransomware has both created and then added the certificate to the personal certificate store, assigned the new key to act as the current EFS key, and invoked it on the files or folders that are intended for deletion.

The next step involved storing the key file in memory and removing% APPDATA% Microsoft Crypto RSA (user SID) and% ProgramData% Microsoft Crypto RSA MachineKeys . EFS data was then deleted from memory, causing the “encrypted files to be unreadable to the user (and the operating system),” the team said.

If possible, the malware then erases individual parts of the disk, followed by encryption of the key file data using a fixed wired public key in the ransomware. At this point, it might also be possible to send stolen information to the command and control (C2) center of an attacker.

According to the researchers, the encryption activities of EFS-based ransomware take place in the kernel and since the NTFS driver is in play, file system filter drivers may also go unnoticed. No human interaction or administration rights are required.

However, padlock icons are displayed when files are encrypted – which can give victims an indication that everything is not right – and if Data Recovery Agent is enabled, recovery can be “trivial,” the team says.

Safebreach Labs has developed the Proof of Concept (PoC) code and provided it with a report to 17 cyber security suppliers. As a result, the team realized that more products were being hit than originally thought.

Below you will find an overview of each supplier, their susceptibility and any actions taken:

avast , Antivirus: “We have implemented a temporary solution for version 19.8.” Avast also gave the researchers a $ 1000 premium.

, Antivirus: “We have implemented a temporary solution for version 19.8.” Avast also gave the researchers a $ 1000 premium. Avira , Antivirus: “We have examined this potential vulnerability in detail. Although we appreciate the reports on this potential vulnerability, we believe that this potential bypass that is dependent on a modified usage scenario is not a realistic” failure point. ”

, Antivirus: “We have examined this potential vulnerability in detail. Although we appreciate the reports on this potential vulnerability, we believe that this potential bypass that is dependent on a modified usage scenario is not a realistic” failure point. ” Bitdefender : “Starting today (January 10), the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 24.0.14.85. On Bitdefender Free Edition, the fix is ​​only in reporting mode, which is required for tuning in the future.”

: “Starting today (January 10), the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 24.0.14.85. On Bitdefender Free Edition, the fix is ​​only in reporting mode, which is required for tuning in the future.” Checkpoint , SandBlast Agent: “A solution to the problem will be available in the next monthly release.”

, SandBlast Agent: “A solution to the problem will be available in the next monthly release.” D7xTech , CryptoPrevent Anti Malware: seller registered on July 5, status unknown.

, CryptoPrevent Anti Malware: seller registered on July 5, status unknown. ESET , Ransomware Shield Technology Products: “In June 2019, ESET was notified of a possible security diversion of its consumer, enterprise and server products for Windows through the standard Windows API EncryptFile. ESET was able to validate the underlying method used to fix this We are now rolling out an update to reduce the bypass and would like to kindly request all customers to consult customer advice 2020-0002 for more information about the bypass restriction options published in this report. “

, Ransomware Shield Technology Products: “In June 2019, ESET was notified of a possible security diversion of its consumer, enterprise and server products for Windows through the standard Windows API EncryptFile. ESET was able to validate the underlying method used to fix this We are now rolling out an update to reduce the bypass and would like to kindly request all customers to consult customer advice 2020-0002 for more information about the bypass restriction options published in this report. “ F-Secure , Internet security (with DeepGuard) | SECURE: Already detected as suspicious: W32 / Malware! Online and Trojan.TR/Ransom.Gen.

, Internet security (with DeepGuard) | SECURE: Already detected as suspicious: W32 / Malware! Online and Trojan.TR/Ransom.Gen. GridinSoft , GS Anti-Ransomware (beta): “We released a free beta test version of the program in 2016. Since then it has not been updated and the main version of the product has not been published. Since the program was last updated in 2016, it is more then it makes sense that it protects against those ransomware families that were popular until 2016. ”

, GS Anti-Ransomware (beta): “We released a free beta test version of the program in 2016. Since then it has not been updated and the main version of the product has not been published. Since the program was last updated in 2016, it is more then it makes sense that it protects against those ransomware families that were popular until 2016. ” Ibit , Malware Fighter: a solution is now available in version 7.2.

, Malware Fighter: a solution is now available in version 7.2. Kaspersky (all): all products have been updated to protect against technology.

(all): all products have been updated to protect against technology. McAfee , Endpoint Products: “McAfee has released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on January 10. This applies to both our Enterprise and Consumer products. The AV DATs are automatically updated and customers can view the version of the DATs through the user interface of the product. Enterprise customers using MVision EDR have a detection rule available from January 10 that is triggered when some variations of this Proof of Concept are executed. the administrator scans his machines for other instances of the malware and then blocks the execution or remove the malware. ”

, Endpoint Products: “McAfee has released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on January 10. This applies to both our Enterprise and Consumer products. The AV DATs are automatically updated and customers can view the version of the DATs through the user interface of the product. Enterprise customers using MVision EDR have a detection rule available from January 10 that is triggered when some variations of this Proof of Concept are executed. the administrator scans his machines for other instances of the malware and then blocks the execution or remove the malware. ” Microsoft , Windows Controlled Folder Access: “Microsoft regards Controlled Folder Access as an in-depth defense function. We have rated this entry as a mediocre class defense problem that does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider this in a future product ”

, Windows Controlled Folder Access: “Microsoft regards Controlled Folder Access as an in-depth defense function. We have rated this entry as a mediocre class defense problem that does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider this in a future product ” Panda Security , Panda Adaptive Defense | Panda Dome Advanced: “Our security approach for the Panda Adaptive Defense product line is not based on patterns, but on classifying all files / processes running at the endpoint. Any attack with unknown files / processes is therefore detected and blocked.”

, Panda Adaptive Defense | Panda Dome Advanced: “Our security approach for the Panda Adaptive Defense product line is not based on patterns, but on classifying all files / processes running at the endpoint. Any attack with unknown files / processes is therefore detected and blocked.” Sophos , Intercept-X Endpoint | CryptoGuard: “We have updated Sophos Intercept X and all customers who use this product are protected.”

, Intercept-X Endpoint | CryptoGuard: “We have updated Sophos Intercept X and all customers who use this product are protected.” Symantec , Endpoint Protection: “We have pushed two detection signatures to fix the problem. Both signatures have been pushed to all endpoints through our live update.”

, Endpoint Protection: “We have pushed two detection signatures to fix the problem. Both signatures have been pushed to all endpoints through our live update.” TrendMicro , Apex One | RansomBuster: “Trend Micro is currently researching and working on implementing some improvements to our endpoint protection products with anti-ransomware capabilities to prevent this type of attack (ETA still under development). In the meantime, we recommend switching EFS off if it is not in (sic) use. “

, Apex One | RansomBuster: “Trend Micro is currently researching and working on implementing some improvements to our endpoint protection products with anti-ransomware capabilities to prevent this type of attack (ETA still under development). In the meantime, we recommend switching EFS off if it is not in (sic) use. “ Webroot, SecureAnywhere AV: “We appreciate that SafeBreach brings this new technology to our attention. Although we have not yet used this technology in the wild, we can now provide our threat investigators with information to combat it in the future.”

A possible solution is that administrators can change registry keys to disable EFS, and use group policy in company settings. However, if EFS is used actively and legitimately, disabling the setting can affect the required file protection.

“It is clear that in light of the expected evolution of ransomware, new anti-ransomware technologies must be developed if the ransomware threat is to be limited and kept at a distance,” the researchers say. “Signature based solutions are not suitable for this task, heuristically based (and even more generic technology based) solutions look promising, but additional proactive research is required to” train “them against future threats.”

