Ransomware Protection Full Of Holes

um hello everyone I'm soya aama who is defense and National Security limited I'm security researcher Global Fu disting distinguish the engineer and aside company um founder and organizer of bid Tokyo I've been working for fuju for more than 20 years as a software Developers for Windows I have um developed en drivers Bluetooth profile Windows application uh and more I started doing uh doing uh security research in 2015 and I have presented at many conference but this is my first time at B staring thank you okay uh today uh I give a give a presentation called the lome we Protection full of horse Okay um May 12th 2017 remember yes it's the day of the one cry Cyber attack one cry caused tremendous damage all of the world it uh spread Beyond Europe and according to one uh Theory eventually uh affected about 2 30,000 uh computer worldwide in over 150 countries and the total damage is estimated to be4 billion do Microsoft uh had an answer to the L protection by uh represented by W it's literally ransomware protection Microsoft uh added this feature with the Windows 10 for creators update released in 2017 the fut future is called control for the access and blocks nare and other malicious apps from accessing files in real time let's take a look at the detail the foundation of Windows ransomware protection is contol folder access which cons uh consists of protected folders and arrow and nap through control folder access in addition contol folder access is disabled by default and you need uh administrative uh privilege to enable it as well as to disable it so you can uh not easily change the settings protected for that are folder that are protected by last protection and apps that you do not allow uh cannot access them you can add hold that that you want to protect note that default protected folders such as document and picture are already included even if you do not specify them uh Arrow an app through control for the access are apps that can access protected folders we can also add apps it says apps are determined by Microsoft as friendly are all always allowed but they are not shown by default this is how Microsoft has implemented Ransom protection for Windows but unfortunately it's full of holes and many researchers are working on way to bypass it this is a techniques to bypass control for the access that uh use uh office o by exploiting the uh inclusion of office apps in the white list this techniques uh involves uh writing the uh encrypted data from memory to uh new files and replacing the original file with a rename code this technique takes uh advantage of the uh fact that security features are uh disable when Windows is started in safe mode finally here is my previous research uh te to the DL injection in 28 I was researching L ransomware protection of course apps that are not in uh included in Arrow and absolute control folder access cannot access protected forers however I have found that file explorer can access protected folders this mean that if I can some uh somehow uh inject marish DL into the file explorer I can bypass the ransome protection by the way uh are you familiar with MIT attack this is a uh globally accessible uh knowledge base of uh adversary techniques and ta tactics based on real world uh observations it describes uh component object model hijacking as a technique for uh inserting M code in a place of uh legitimate software since com object are managed in the registry it's possible to uh hijack them by editing the registry to reference malicious uh pay Road inserted over uh leg legitimate com com object All That Remains it's to find the Target com object in the registry under context object uh context menu hand in the registry at the uh means that appear when you uh right click in File Explorer come I focus on this gu ID if you search this gu ID in the registry it appear under CLS ID so this gu ID is the CLS ID that in uh identify the com object and the default value for in Pro uh server 32 is shell 32 do D if you change this to a Maas DL you can inject it into file explorer but you cannot change this value directly because this is a uh managed view of uh HK classes loot as described in msdn the uh managed view of HQ classes rout shows the uh managed value of HQ local machine and Hy current user and if both value are present H ke current user takes uh precedence HQ local machine has a value for this CLS ID but H Key current user does not even have a key therefore adding a value to HQ current user will change the value of HQ classes loot so write a batch file with a command to add the uh pass of the maras D to hqy current user and command to restart file explorer when file explorer is restarted it load the M DL the masas DL is execute on the file explorer uh process and can encrypt protected files this completes the lansom year PC of course since I wanted the Bounty so I reported the results of this uh research to Microsoft but they said it was not varability for the following reasons pre uh PR predicated on the uh attacker having l access to the Target account already since you are only able to write to hkcu you will not be able to affect other users there also does not appear to be an ex uh escalation of Privileges and finally it would appear the attacker would not gain anything from this attack okay so ataka can get Ransom from this attack right okay uh this is my uh previous uh research well I found an uh interesting article in the 20 uh 2021 uh fores is the article windows and ransomware protection are effective against ransomware I was uh SK skeptical about this uh article because I thought my previous PC was still buried and could be easily encrypted just to be sure I run my PC on the latest Windows uh here is a video on the PC I mentioned earlier uh running on Windows 11 here's the image of the echina in it uh Saed in the picture folder let open the ransom protection setting screen and enable uh contol for the access and at lamb bile that we are SEC uh successi encryp encrypted in the past so the program has be blocked and the EA is safe finally a check of The Blocking history show that the contol folder access has protected the picture folder from the file explorer as you can see my previous PC is PC is not longer valid Microsoft said that my report was not bability but they had secretly fixed it I was so frustated that I started looking for other horse in lamia protection so far I focused on apps but this time I focus on folders when you check the uh property of the picture folder it says you can change and when you uh try to change the folder location you are asked um if you want to move the files like this a good idea but uh bad idea for Microsoft just popping into my head if I change the location of the picture folder directly in the registry I suspect that no file will be moved if you check the contol folder access registry you will find Arrow uh arrowed applications and protected holders and uh it they see to uh compress corres uh correspond to allow an app through control for the access and proed forers uh uh for that however both are uh empty inside where are documents and pictures the default protected folder is in another registry and of course since they are under HQ current user you can change them with user privileges here's an overview of the new pc normally control holder access uh protect the picture folder so that masas apps cannot access and encrypt the image files however if a Myas apps change the location of the picture folder the folder protected by for the access is changed however the files are not copied or moved and since the folder before the change is no longer uh protected it should be possible to encrypt the image file right okay I actually t uh try it uh run a new uh bat file and this time uh reboot this system after change the user folder this is uh because that system needed needs a reboot to recognize the change user folder it's a long time unfortunately Microsoft was unable to to protect the akina check the blocking history like before there is nothing in the blocking history yes I out focused Microsoft again of course I reported to the uh results of This research to Microsoft Microsoft also say that it's not a varability and F uh surprise just this one phrase this time because control for the access is the defense in uh in depth security features what in fact the msrc Microsoft security uh ing uh criteria for Windows uh page has a section called defense in depth security features and status that contol folder access is not covered by The Bounty unfortunately my dream was cut short I want uh everyone to know how dangerous this problem uh really it uh so I uh created an even more dangerous PC again I used the uh component object model hijacking methods it may not be well known component object model hijacking can specify Network pass this mean that there is no need to spend uh send to uh send a d file into the Target in addition a Fess attack are possible if some vulnerability can be used to write a d uh directly to the registry and this DL has the uh ability to encrypt files but there are also uh hands to implement other uh functions for example a C2 control uh C2 connection so I use the C 2018 1335 command inject I command injection vulnerability in the in this PC this is a varability in apach TI server you can can download the python script here and here is the uh modify python script the uh let underline part is a uh command to run on Windows which create uh create a user to access C connect to C at the registry entry to load the D on car and restart system now let me show you this e is safe open the ransom protection setting screen and enable control for the access take that uh IP address and use it to run the ti server from here the attacker uses C to attack to the Target ah the MAA D is on K a user is created using uh pdb edit and restart uh s uh run the python script show above the system will reboot to remote unfortunately M Microsoft was unable to protect uh the echina yes I brilliantly encrypted F remotely um that's the summary to allow user to uh fre change the location of documents pictures Etc this registry are located under H Key current user the problem is that Microsoft Microsoft in include uh this existing uh registry in a protected fer by default Microsoft should have let uh users uh add them instead of including them so how can we uh solve this problem the um the exist way is to add the fer you want to protect however many researchers have discover horse in lasia protection and more maybe uh discover in the future therefore it's important to always back up important data of course uh the uh Pro uh prop backup uh destination is not a PC but media Nas or the cloud uh and it's even better if generation management is possible finally as you can see this time I was able to encrypt the users's data in a very simple and very ridiculous way it was such an easy meth uh method that you uh probably uh thought you could do it uh it yourself but please never create l here using this method okay my presentation is over thank [Music] you so questions about the easy oh there we go they they're going to give you a microphone hopefully in a second but uh uh uh I my uh English skill is uh poor so if I I I I cannot answer uh you uh please uh no worries my company uses broken English as well um only simple question did you ever get your Bounty so H uh I get uh uh I got Bounty uh uh is uh F uh one times but uh it's not Microsoft uh I get so uh from one password so yes it's um this is my uh linked ID uh URL so my one one password presentation is uh upload at this uh site so uh please show me please show uh show uh my presentation okay thank you any more questions personal experiences with Microsoft Maybe not today it's it's for the next Seaside convention well if not then thank you very much okay thank you