Experts: Windows Feature Can Be Used as Ransomware

John Lister's picture

Ransomware attackers could turn a key Windows security tool against the system, according to new research. The tactic could also evade leading security tools.

The research from SafeBreach Labs covered "EFS", otherwise known as Encrypting File System. EFS was released as far back as Windows 2000 (in the year 2000), and is somewhat similar to Bitlocker. The main difference between the two is that Bitlocker can encrypt an entire volume, while EFS can encrypt individual files and folders.

In either case, the reason for encrypting files / folders or an entire volume is that if an attacker gained physical access to a hard drive, they would not be able to decrypt the files without a password.

Hacker Could Encrypt With Own Key

EFS uses part of the Windows login to encrypt the files in order to produce a "key" for the encryption. SafeBreach says that there's a significant flaw in how this works.

Through proof of concept, SafeBreach discovered that an attacker could effectively produce their own security key and use it to remotely force the computer to encrypt all its files through EFS using that key. The attacker would then delete the key.

This would mean that the legitimate user's login details and associated key would no longer unlock the EFS-encrypted files. The security benefits of EFS would now be turned against the legitimate user, who could then be hit with a ransomware note, demanding payment to restore access. If the user did pay up, the attacker could (if they stuck to the 'deal') use their key to decrypt the files.

The researchers also found that three leading security tools that claim to combat ransomware were unable to protect against such an attack. (Source:

Microsoft Not Planning Update

SafeBreach says it contacted Microsoft and a range of security software manufacturers to give them a chance to tackle the problem before it went public and risked tipping off attackers. Most of the security software makers have updated their products or are in the process of doing so.

Microsoft says that they "... assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows." They went on to say that the topic may be addressed in a future product. (Source:

What's Your Opinion?

Are you surprised nobody thought of this tactic before? Should the researchers have gone public at all or restricted their findings to security professionals? Is this risk still worthwhile for the benefits encryption brings to PC owners?

Rate this article: 
Average: 5 (9 votes)


buzzallnight's picture

Encrypting File System. EFS was released as far back as Windows 2000 (in the year 2000), and is somewhat similar to Bitlocker. The main difference between the two is that Bitlocker can encrypt an entire volume, while EFS can encrypt individual files and folders.

In Win 7

click start
search for services
Select view local services under the control panel heading
Scroll down and right click on Encrypting File System (EFS)
Select and click on properties from the menu
Under the general tab look down to start up type
Click the arrow on the right side and select disabled

Dennis Faas's picture

Thanks for your suggestion. However, if a cyber criminal wanted to re-enable the service and then encrypt the drive, it would be a matter of issuing the following command using an administrative command line / batch script / program:

fsutil behavior set disableencryption 0

buzzallnight's picture

The ones for remote connections also!

russoule's picture

this is a how-to explaining how to delete a service and advising NOT to delete a service.

what isn't in this how-to is an advise to check under "properties" to see if another "service" relys on the service you are about to delete. good luck.

buzzallnight's picture

Where is the link you are talking about?
I can not find it.

russoule's picture

forgot to include the link. must be getting old.

buzzallnight's picture

We are all getting older,

Do you remember magnetic core memory?
CPUs made up of small ICs on a 12 inch board?
SMD disk drives that looked like cake holders?
Punched paper tape?
Loading a batch from punched cards?
Back when servers were big iron running Motorola 68000 cpus
and BSD Unix?
Sun 3s?

rsbford_13260's picture

That was computer science when I was in high school. We'd setup a program in class - punch the cards ( 1 card per instruction) and then the instructor handed them back the next day with a print out of what they did and what I did wrong.

buzzallnight's picture

had a PDP-11 with a punched card reader,
the latest tech at the time!!!!!!!!
I used to print resumes with a mechanical singer freeden
typewriter that saved what you wanted typed on punched paper tape!
Ohio Scientific Super board 2 with the 8K memory upgrade was my first computer!!
I still have it!!!

Draq's picture

If Microsoft added protection against ransomware that encrypts files, what's the logic in not fixing their own software so it can't be used as ransomware, especially since this is public knowledge now? That just seems really irresponsible. A security threat is a security threat regardless of its severity.

Also, wouldn't this only affect machines with Bitlocker enabled such as those with Windows 10 Professional? It's not a feature on Windows 10 Home last I knew.

buzzallnight's picture

Imagine you buy a boat
and it leaks
so they keep sending you stick on patches!

The boat is not supposed to leak at all, ever!!!!!!!!!!!

So, you buy a car and it is not done or complete yet
and they send you a part of the car once a month for you to install!!!

Why have software companies always been able to get away with shoddy products????????