The newly-spotted form of ransomware takes advantage of encryption capabilities built into Windows making it difficult for AV vendors to stop it.
The Windows Encrypting File System (EFS) is Microsoft’s alternative to full disk encryption provided by BitLocker for business versions of the Windows OS. While BitLocker encrypts an entire drive, EFS selectively encrypts desired files and folders.
Sound familiar? It should; as it’s the very same kind of encryption performed by most strains of ransomware. In the case of EFS Ransomware, its’ creators saw the similarities and found a way to leverage it.
What makes this ransomware strain so sinister is that it is purely “living off the land”, using Windows and its’ EFS against itself, not needing to download a payload executable that performs the encryption. Instead, using built-in Windows APIs, this new form of ransomware performs the following tasks:
- Generates an encryption key
- Generates a certificate and adds it to the user’s personal store
- Sets the EFS key to the newly generated one
- Encrypts files and folders
- Saves the key to memory and deletes it from the file system
The researchers at SafeLabs tested out three major AV solutions and found all three to fail in stopping an attack from EFS Ransomware. The news of this new form of ransomware has antivirus vendors scrambling to provide updates to stop this ransomware in its tracks.
Within a short period of time, it’s likely AV solutions will have updates in place. But the bigger issue here is what this latest attack represents: an unforeseen attack method. Ransomware infections usually require the intervention of an unsuspecting user that falls for a phishing attack. So, putting preventative measures to keep that from happening are necessary. Security Awareness Training is an effective way to educate users on the kinds of cyberthreats that exist (including ransomware), how attacks can occur (e.g. via phishing), and what to look for to determine if an email is suspicious or not. More technical detail at Bleepingcomputer.