New EFS Ransomware Attack Uses Windows Encrypting File System Against Itself

WEFS-GrapicThe newly-spotted form of ransomware takes advantage of encryption capabilities built into Windows making it difficult for AV vendors to stop it.

The Windows Encrypting File System (EFS) is Microsoft’s alternative to full disk encryption provided by BitLocker for business versions of the Windows OS. While BitLocker encrypts an entire drive, EFS selectively encrypts desired files and folders.

Sound familiar? It should; as it’s the very same kind of encryption performed by most strains of ransomware. In the case of EFS Ransomware, its’ creators saw the similarities and found a way to leverage it.

What makes this ransomware strain so sinister is that it is purely “living off the land”, using Windows and its’ EFS against itself, not needing to download a payload executable that performs the encryption. Instead, using built-in Windows APIs, this new form of ransomware performs the following tasks:

  • Generates an encryption key
  • Generates a certificate and adds it to the user’s personal store
  • Sets the EFS key to the newly generated one
  • Encrypts files and folders
  • Saves the key to memory and deletes it from the file system

The researchers at SafeLabs tested out three major AV solutions and found all three to fail in stopping an attack from EFS Ransomware. The news of this new form of ransomware has antivirus vendors scrambling to provide updates to stop this ransomware in its tracks.

Within a short period of time, it’s likely AV solutions will have updates in place. But the bigger issue here is what this latest attack represents: an unforeseen attack method. Ransomware infections usually require the intervention of an unsuspecting user that falls for a phishing attack. So, putting preventative measures to keep that from happening are necessary. Security Awareness Training is an effective way to educate users on the kinds of cyberthreats that exist (including ransomware), how attacks can occur (e.g. via phishing), and what to look for to determine if an email is suspicious or not.  More technical detail at Bleepingcomputer.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews