Security News > 2020 > January > New Ransomware Process Leverages Native Windows Features
A potential ransomware process using EFS was discovered by researchers at SafeBreach.
This approach entirely uses Windows features - and can consequently be defined as a form of 'living off the land' - although the primary difference with traditional ransomware is that this process uses different Windows features that are less likely to be monitored.
"The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows," state the researchers.
If EFS is not required, explain the researchers, "A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY LOCAL MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFSEfsConfiguration to 0. Group Policy can be used for enterprise-wise disabling of EFS.".
The Windows OS developers, as opposed to the anti-ransomware app developers, could solve the problem entirely by adding a new feature to stand-alone Windows.