Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    New EFS Ransomware Attack Uses Windows Encrypting File System Against Itself

    WEFS-GrapicThe newly-spotted form of ransomware takes advantage of encryption capabilities built into Windows making it difficult for AV vendors to stop it.

    The Windows Encrypting File System (EFS) is Microsoft’s alternative to full disk encryption provided by BitLocker for business versions of the Windows OS. While BitLocker encrypts an entire drive, EFS selectively encrypts desired files and folders.

    Sound familiar? It should; as it’s the very same kind of encryption performed by most strains of ransomware. In the case of EFS Ransomware, its’ creators saw the similarities and found a way to leverage it.

    What makes this ransomware strain so sinister is that it is purely “living off the land”, using Windows and its’ EFS against itself, not needing to download a payload executable that performs the encryption. Instead, using built-in Windows APIs, this new form of ransomware performs the following tasks:

    • Generates an encryption key
    • Generates a certificate and adds it to the user’s personal store
    • Sets the EFS key to the newly generated one
    • Encrypts files and folders
    • Saves the key to memory and deletes it from the file system

    The researchers at SafeLabs tested out three major AV solutions and found all three to fail in stopping an attack from EFS Ransomware. The news of this new form of ransomware has antivirus vendors scrambling to provide updates to stop this ransomware in its tracks.

    Within a short period of time, it’s likely AV solutions will have updates in place. But the bigger issue here is what this latest attack represents: an unforeseen attack method. Ransomware infections usually require the intervention of an unsuspecting user that falls for a phishing attack. So, putting preventative measures to keep that from happening are necessary. Security Awareness Training is an effective way to educate users on the kinds of cyberthreats that exist (including ransomware), how attacks can occur (e.g. via phishing), and what to look for to determine if an email is suspicious or not.  More technical detail at Bleepingcomputer.

     

    Return To KnowBe4 Security Blog

    Free Ransomware Simulator Tool

    Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

    KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

    RansIm-Monitor3Here's how it works:

    • 100% harmless simulation of real ransomware and cryptomining infections
    • Does not use any of your own files
    • Tests 25 types of infection scenarios
    • Just download the install and run it 
    • Results in a few minutes!

    Get RanSim!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/ransomware-simulator

    Topics: Security Awareness Training, Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews