A new method to corrupt Windows Ransomware protection has been discovered. Hackers can bypass Controlled Folder Access via Windows Registry Editor.
Microsoft has recently added a feature, known as Controlled Folder Access. The feature has been used in order to stop modifications of files that are residing in protected folders that cannot be accessed by unknown programs. Unfortunately, that feature has been bypassed by a simple registry value created y the researchers Soya Aoyama a security specialist at Fujitsu System Integration Laboratories Ltd.
Related: Windows 10 Anniversary Update With Ransomware Protection
How the Windows Ransomware Protection is Bypassed
The researcher has demonstrated an attack via a malicious DLL injections into Windows Explorer. Since Explorer is in the trusted services of Windows, when the DLL is injected in it, it will run a script that bypasses the feature for ransomware protection of Windows.
This can be achieved by attacking Windows “where it hurts most” – the Windows Registry Editor. When started, th DLLs are loaded under a random sub-key, located in the following sub-key:
→ HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
This leads to several different outcomes, he main of which are the registry key that is created replicates itself to HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT trees. When Windows Explorer is executed, it begins to load Shell.dll from the following registry sub-key:
→ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32
Shortly after this happens, the malicious DLL is loaded into explorer.exe and the researcher simply set the default value of the DLL to 0.
What follows in the process of breaking the Windows ransomware protection is that Windows Explorer (explorer.exe) is shut down and restarted with the malicious DLL being executed in it. This results in the complete bypassing of the Controlled Folder Access feature.
Not only the DLL did bypass Windows Defender, but it also bypassed big antivirus products, like:
- Avast.
- ESET.
- Malwarebytes Premium.
- McAfee.
So the bottom line is that the researcher took advantage of the applications that have permissions over the Controlled Folder Access feature and use these permissions in the DLL attack.
Microsoft had to say in their defense that Aoyama has gained access previously to the computer he demonstrated the vulnerability and thus they cannot compensate him for this, which is rather odd. But what is not odd is that you do not even need administrative privileges to hack the ransomware protection of Controlled Folder Access and that is quite disturbing.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me: