Windows EFS Feature May Help Ransomware Attackers

Discussion in 'malware problems & news' started by mood, Jan 21, 2020.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Signature-based software may not be enough to protect Microsoft’s Windows EFS against evolving ransomware families
    Windows EFS Feature May Help Ransomware Attackers
    January 21, 2020
    https://www.bleepingcomputer.com/news/security/windows-efs-feature-may-help-ransomware-attackers/
    SafeBreach: EFS Ransomware
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Antivirus vendors push fixes for EFS ransomware attack method
    January 21, 2020
    https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ransomware-attack/
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,676
    Location:
    Italy
    The service EFS is also present in my W.10 Home.
    Stopped - manually.
    It can also be started from SUA.
    I have disabled the service.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,928
    Location:
    U.S.A.
    If you are using a password manager or such like app, this will surely bust it.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,928
    Location:
    U.S.A.
    Per the zdnet.com article, this Microsoft "tidbit" in regards to WD:
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,676
    Location:
    Italy
    Hi itman:thumb:
    , read this much more accurate article:

    https://safebreach.com/Post/EFS-Ransomware



    Yet in my W.10 Home the EFS service is present.

    Stopped - Manual
    When I tried to start the service then it was no longer possible to stop it.
    I had to use the command prompt as an administrator:

    sc config EFS start= demand

    reboot pc

    The "sc" command must therefore also be monitored.
    OSA has an ad hoc rule.

    P.S. I don't use a password manager or similar app.


    :)
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,928
    Location:
    U.S.A.
    This POC EFS attack withstanding, EFS has an existing vulnerability:
    https://www.thewindowsclub.com/encrypting-file-system-efs-windows-10

    Now we have to wait for a BitLocker POC vulnerability .......................
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,676
    Location:
    Italy
    @itman

    Read the 3D below:

    https://malwaretips.com/threads/windows-efs-feature-may-help-ransomware-attackers.97946/#post-855303
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,928
    Location:
    U.S.A.
    I am not worried about this vulnerability since my AV detects the exploit attempt; unlike WD.

    I was researching the POC yesterday and at least one API employed requires SMB v3.0+. This would indicate that pre-Win 8.1 OS versions are not vulnerable.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,700
    Location:
    The Netherlands
    Yes, it's also on Win 8.1 Home, probably best to disable it.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.