back to article WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware

The encryption technology Microsoft uses to protect Windows file systems can be exploited by ransomware. So says the research team at Safebreach Labs, which has demonstrated how file-scrambling software nasties can not only tap into the Windows Encrypting File System but also avoid anti-malware tools. Safebreach veep of …

  1. Frank Bitterlich

    This fails to surprise me...

    OK, so what's the takeaway from this finding? Is it that system-provided encryption is good enough that it is useful for the bad guys, too? Kind of obvious for me.

    I don't think that any "anti-ransomware" can ever be effective by controlling if/which encryption functions are used. If you got a process running on your machine that you don't want, you're compromised. Trying to control whether that process uses specific functions/techniques is kind of missing the point. At this point, your best anti-ransomware is probably that offline backup that you made last week.

    1. Mage Silver badge

      Re: This fails to surprise me...

      Yes, a daft warning.

      Whether the criminals or vandals can use a built in function or supply their own is irrelevant unless they are inept at choosing and deploying encryption.

      Also don't back up over the last backup as everything might ALREADY be encrypted but with the "automatic" key later removed by command or date.

      I archive backups.

      1. steviebuk Silver badge

        Re: This fails to surprise me...

        Be anal like I had been doing (I need to start again as I got lazy).

        Monday full backup

        Tues-Thurs - incremental backups

        Frid - Full 1 week backup.

        Repeat for 3 weeks.

        4th week the Friday week backup becomes - Month 1 backup.

        Repeat for 3 months, so then you always have 3 months worth of backups. Then start overwriting after the 3 months. You could also add taking one large full backup and keep that as a year backup, obviously will be out of date but better than nothing.

        1. John Brown (no body) Silver badge

          Re: This fails to surprise me...

          Not sure about anal, or if it's standard practice today, but back in the days of MS-DOS PCs and Netware servers, that was pretty much the standard practice in most places, at least from small to medium businesses that I had dealings with. Smaller one might have rolled around each month simply for cost reasons rather than keeping three months worth of backups. Either way, companys with Newtware/MSDOS networks were generaly companies who had computerised properly for the first time so usually were set up by someone who knew what they were doing and a proper backup regime was set up as part of the installation/service. Likely that 3rd party would also be doing their support and there was no one on site who understood enough to make decisions over-riding the process. Things were done because the installers had told them that's how it should be done.

    2. fidodogbreath Silver badge

      Re: This fails to surprise me...

      At this point, your best anti-ransomware is probably that offline backup that you made last week.

      And not opening dodgy email attachments.

      1. Halfmad

        Re: This fails to surprise me...

        and not having domain admins browsing the internet using IE 11.

  2. amanfromMars 1 Silver badge

    The Gazillion Dollar Question

    SafeBreach said that, prior to publishing the report, it had been in contact with 17 of the larger anti-ransomware tool developers to provide an advance notice and get detection for EFS malware added.

    How's that operation progressing towards success?

    1. The Man Who Fell To Earth Silver badge

      Re: The Gazillion Dollar Question

      If you go to the link on the article, they give the names and responses of the 17.

  3. EnviableOne Silver badge

    Haven't tried Sophos Intercept X

    Cryptoguard would identify multiple attempted encryptions and flag this bad behaviour, and revert the changes, killing the responsible process.

    1. Cl9

      Re: Haven't tried Sophos Intercept X

      Isn't the point of this article that given it's Windows itself doing the encryption, nothing is stopping it?

      1. Yet Another Anonymous coward Silver badge

        Re: Haven't tried Sophos Intercept X

        Obvious solution, everytime something writes to an encrypted filesystem put up a UAC box saying "system.dll access to encrfs.dll, allow Y/N" then your grandmother can safely use their PC.

        1. A.P. Veening Silver badge

          Re: Haven't tried Sophos Intercept X

          You are forgetting granny is already conditioned to press "Y" whenever that comes up.

          1. Yet Another Anonymous coward Silver badge

            Re: Haven't tried Sophos Intercept X

            >You are forgetting granny is already conditioned to press "Y" whenever that comes up.

            But then that's the user's fault

        2. Cl9

          Re: Haven't tried Sophos Intercept X

          Might be a bit painful if you've got your whole drive encrypted with it :P

        3. steviebuk Silver badge

          Re: Haven't tried Sophos Intercept X

          UAC has been easily bypassed for years now.

      2. Mage Silver badge

        Re: Haven't tried Sophos Intercept X

        Windows or some other encryption tool is irrelevant. If your system is compromised, then any AV or UAC has already failed.

        That's why AV isn't a a first line of defence. First is Script blocking and all autorun (net shares and USB storage / USB HID etc disabled). Second is education of the user. Third is a decent backup strategy.

        Get those right and AV and UAC are not that important. Windows encryption is irrelevant to the risks. From point of view of system repair and fine grained security access a per user password with folder/directory based encryption is more sensible than entire disk encryption. Also don't rely on TPM.

        Do not put all the passwords in a spreadsheet either on a PC or MS Cloud. Paper in a safe. Also, like backups, a secured off site copy.

        1. Pascal Monett Silver badge

          Yeah, but that second point is the weakness in your scheme.

          Not that I disagree with your scheme. Not at all.

  4. NetBlackOps Bronze badge

    If I recall correctly, doesn't Microsoft have the key tied to your Microsoft account? That's one of the reasons I don't use their encryption in the first place!

    1. Yet Another Anonymous coward Silver badge

      Only if you back it up to your microsoft account, if you aren't logged in this isn't automatic

      Microsoft claim not to have a copy otherwise <tin foil hat mode>

    2. Sandtitz Silver badge

      "Microsoft have the key tied to your Microsoft account?"

      The article is about EFS. You're talking about Bitlocker.

      Bitlocker encrypts whole drives whereas EFS can be used by any user to encrypt their own files and folders, whether Bitlocker is in use or not.

      When enabling Bitlocker you need to either print the the key, or save it into a file on an external drive or into MS account if you have one. Azure users also have an option to save it to their Azure account. Bitlocker won't proceed further until the decryption key is printed or saved.

      EFS instead prompts to export the PKCS file when the user first encrypts files, but it is not uploaded anywhere, and saving it is not mandatory.

  5. Lorribot Silver badge

    First off you should not be turning off encryption you should be using it. It is minimum requirement for laptops for GDPR compliance.

    What the article does not explain is if it is using EFS for full disk encryption or individual files, i am guessing the latter as it talks of EFS rather than Bitlocker.

    Is it also possible use Bitlocker on a full drive and throw away the key? If you have implemented Bitlocker or other full disk encryption is EFS blocked anyway.

    Need more info.

    1. phuzz Silver badge

      "Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive."

      From here. And yes, EFS is for individual files, Bitlocker is for whole disks.

  6. Tom 35

    If you are using EFS

    Can they change the key to lock you out, or is this only for systems that are not using EFS?

    1. Anonymous Coward
      Anonymous Coward

      Re: If you are using EFS

      If you have policies enabled stating that you need a recovery agent, then the files can not be encrypted without the recovery agent key being added, so they could remove the current users files (or all if admin) except the recovery agent. So no.

      So to protect against this, either disable efs via group policies, or also set require a recovery agent and don't add any, then efs can not be used as the keys don't exist.

      With Bitlocker, if that get brought up, either disable, or set so that you require the recovery key to be stored in AD.

      This mostly helps only businesses, but you can set most of this as a normal user using local policies, which if the attacker has admin rights can remove.

  7. amanfromMars 1 Silver badge

    Trusty Gamekeeper or Systems Busting Poacher?

    Something you may never know for sure if one plays their cards right.

    Ransomware is a serious threat to individuals, SOHOs/SMBs and large enterprises. Consequently, many security solutions are now available, which attempt to address the ransomware threat. In this blog post we describe EFS-based ransomware (ransomware which abuses the Windows Encrypting File System), which is a new concept we developed in Safebreach Labs. ..... Amit Klein, VP Security Research, Safebreach Labs

    Because of the above from Safebreach, one does have to ask if the likes of an Amit Klein is true fine feathered friend or sticky tricky phantom foe, for they can be either or both and something else quite different too.

    Things aint like they used to be and never will be again. Get used to it unless and/or until you are able to do anything effective about it.

  8. Anonymous Coward
    Anonymous Coward


    The machines at _classified_location have both their USB and Mic/Spk ports enabled.

    You'd think they would learn, this has been known as a vector for years.

    I'm not going to say what OS they are running!

    1. Charles 9 Silver badge

      Re: Incidentally

      Well, given that most computers have speakers attached (meaning the Speaker port must be enabled) and lack dedicated keyboard ports (meaning a HID interface, such as USB, must be enabled in order for the computer to be of any use), you're not narrowing the field down much, are you.

      I suppose the next thing you'll say is that the only secure computer is one you cannot use (as even a buried computer can probably be interacted with something like a maser--if not simply stolen).

  9. Netsecadmin

    I agree this is possible on an unmanaged personal Windows system that has not EFS protection policy. All businesses should either have the EFS service disabled or managed. If managed, the EFS uses a data recovery key owned by the business that can decrypt any EFS encrypted data regardless what other key was used to encrypt. In this case, the ransomware could cause encryption with an external key and cause the logged in user to lose access. Hoever, the business security team would have the recovery key that can then decrypt all the data and provide access back. Properly managed by business for business systems, the loss of data is very low risk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021