Living off the land – EFS Ransomware

Attackers have responded to improved security against malware in Windows environments by “living off the land” (LOTL) – using the tools already present in the operating system to do their dirty work. After all, if you use an operating system component, you are much less likely to trigger alarms.

There is a whole “LOTL ecosystem” out there – to get an idea of how LOTL attacks operate, click on over to this Github repository for scripts and documentation.

Security firm SafeBreach recently revealed some research they have done with Windows’ Encrypting File System (EFS) – the code which allows you to secure your files and directories with (you got it) encryption. Being the evil, clever people that they seem to be, they thought about how a ransomware author could leverage this capability to lock you out of your files.

It is actually quite easy… simply generate a random encryption key, tell the OS to encrypt the targeted files or folders (like, say “My Documents”) and then erase all traces of the key from disk and memory. Easy peasy and most of the work is being done by authorized, straight outta Redmond code. In their testing, they were able to do this without triggering anti ransomware protections in a number of popular products.

The good news is that they shared this information with the vendors, so that they can improve their products.

The bad news is that LOTL attacks are here to stay and very hard to detect and prevent. Detection requires an understanding of not only what a process is doing, but also the context in which it is being done. I smell an opportunity for machine learning here… most of us use our computers to do the same set of tasks most of the time and being able to pick out processes which are doing anomalous things seems like the key to mitigating this risk.

In the mean time, learn about how attackers live off the land before they get a foothold in your network…

Leave a Reply