Windows Ransomware Protection Can Be Hacked Easily

Windows Ransomware Protection Can Be Hacked Easily

A new method to bypass Controlled Folder Access via Windows Registry Editor has been discovered to work flawlessly.




Microsoft has recenty added a feature, known as Controlled Folder Access. The feature has been used in order to stop modifications of files that are residing in protected folders that cannot be accessed by unknown programs. Unfortunately that feature has been bypassed by a simple registry value created y the researchers Soya Aoyama a security specialist at Fujitsu System Integration Laboratories Ltd.

Related: Windows 10 Anniversary Update With Ransomware Protection

How the Bypass of Controlled Folder Access Happens

The researcher has demonstrated an attack via a malicious DLL injections into Windows Explorer. Since Explorer is in the trusted services of Windows, when the DLL is injected in it, it will run a a script that bypasses the feature for ransomware protection of Windows.

This can be achieved by attacking Windows “where it hurts most” – the Windows Registry Editor. When started, th DLLs are loaded under a random sub-key, located in the following sub-key:

→ HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

This leads to several different outcomes, he main of which are the registry key that is created replicates itself to HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT trees. When Windows Explorer is executed, it begins to load Shell.dll from the following registry sub-key:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32

Shortly after this happens, the malicious DLL is loaded into explorer.exe and the researcher simply set the default value of the DLL to 0.

What follows is that Windows Explorer (explorer.exe) is shut down and restarted with the malicious DLL being executed in it. This results in the complete bypassing of the Controlled Folder Access feature.

Not only the DLL did bypass Windows Defender, but it also bypassed big antivirus products, like:

  • Avast.
  • ESET.
  • Malwarebytes Premium.
  • McAfee.

So the bottom line is that the researcher took advantage of the applications that have permissions over the Controlled Folder Access feature and use these permissions in the DLL attack.




Microsoft had to say in their defense that Aoyama has gained access previously to the computer he demonstrated the vulnerability and thus they cannot compensate him for this, which is rather odd. But what is not odd is that you do not even need administrative privileges to hack the ransomware protection of Controlled Folder Access and that is quite disturbing.

Vencislav Krustev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...