EFS Ransomware encrypts data with a forged certificate

Attack on the Windows Encrypting File System

Researchers developed a new ransomware that can be used to encrypt data on a Windows system using the Windows Encrypting File System.

There is already a proof-of-concept attack strategy using Windows on-board tools.

The ransomware generates a new key pair (private & public key) on the affected system, and then encrypts the user's data. The ransomware then deletes the key pair and uploads the public key needed to decrypt the data to the attacker's server.

The user (victim) is therefore dependent on the public key that is required to decrypt the data.

The process is as follows:

The ransomware generates with AdvApi32! CryptGenKey used by EFS, a key. The ransomware then generates a certificate for the key using Crypt32. This is then stored in the personal certificate store and prepared for the use of EFS. From now on the ransomware can be used with AdvApi32! encrypt every file.

After all data has been encrypted, the ransomware destroys every trace to the key file that was used to encrypt the data:

  • % APPDATA% \ Microsoft \ Crypto \ RSA \ SID of the user
  • % ProgramData% \ Microsoft \ Crypto \ RSA \ MachineKeys \

More information on the website of SafeBreach

Windows EFS Encryption Guide Encrypting File System