Windows 10 Ransomware Protection Bypassed Using DLL Injection October 9, 2018 https://www.bleepingcomputer.com/ne...ware-protection-bypassed-using-dll-injection/
So, what's new? And most predictably and to be expected: https://www.bleepingcomputer.com/ne...led-folder-access-anti-ransomware-protection/
Yeah, I said this would happen when they released this feature. This is why I did not enable it on ANY of the PCs I manage.
Not sure exactly how this particular exploit works, but Windows Defender with ASR can block reflexive dll loading.
This is no surprise at all, but apparently most ransomware doesn't use code injection? I do know they sometimes use process hollowing and from what I understood the "protected folders" feature did protect against this surprisingly. Actually, I don't know if Cruelsister did test this.
This technique will bypass the protected folders feature of all AVs. This kind of a feature will always be defeatable. However, the newly improved Windows Defender ASR rules on Windows Pro 1809 with updates will default this technique. The ASR rules are not enabled by default, but they are there,
Doesn't this exploit still have to typically start out with the victim opening a malicious attachment or email link?
Most ransomware likely doesn't use code injection. That said, there are other things that do. I guess this is a ransomware discussion but it is far from my only concern.
Easiest way to prevent this bypass is to prevent explorer.exe from being terminated. Also this technique, explorer termination and restarting, has been used in the past by malware. -EDIT- Scratch the above since it really isn't the problem. What the bypass is; requires monitoring of what is created in this registry key, HKCU\Software\Classes\CLSID\*. Appears that is feasible since all I have present in that key in Win 10 1803 are references to .dlls and .exe's loading from C:\Users\xxxxx\AppData\Local\Microsoft\OneDrive\18.131.0701.0007\amd64\ which does make one wonder since I have uninstalled OneDrive. Also since this bypass requires registry modification, mitigations for that such as reg command usage and the like are also effective. This bypass does have all the benefits that can be achieved via process hollowing without have to go through the effort to do so.
They probably don't use standard code injection because this can be spotted by HIPS. But this particular methods makes use of modifying a registry key, it's really ridiculous that this is possible in the Windows OS. Yes that's obvious, but ransomware could incorporate this technique, that is what's worrying.