A new method to corrupt Windows Ransomware protection has been discovered. Hackers can bypass Controlled Folder Access via Windows Registry Editor.
Microsoft has recently added a feature, known as Controlled Folder Access. The feature has been used in order to stop modifications of files that are residing in protected folders that cannot be accessed by unknown programs. Unfortunately, that feature has been bypassed by a simple registry value created y the researchers Soya Aoyama a security specialist at Fujitsu System Integration Laboratories Ltd.
How the Windows Ransomware Protection is Bypassed
The researcher has demonstrated an attack via a malicious DLL injections into Windows Explorer. Since Explorer is in the trusted services of Windows, when the DLL is injected in it, it will run a script that bypasses the feature for ransomware protection of Windows.
This can be achieved by attacking Windows “where it hurts most” – the Windows Registry Editor. When started, th DLLs are loaded under a random sub-key, located in the following sub-key:
This leads to several different outcomes, he main of which are the registry key that is created replicates itself to HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT trees. When Windows Explorer is executed, it begins to load Shell.dll from the following registry sub-key:
Shortly after this happens, the malicious DLL is loaded into explorer.exe and the researcher simply set the default value of the DLL to 0.
What follows in the process of breaking the Windows ransomware protection is that Windows Explorer (explorer.exe) is shut down and restarted with the malicious DLL being executed in it. This results in the complete bypassing of the Controlled Folder Access feature.
Not only the DLL did bypass Windows Defender, but it also bypassed big antivirus products, like:
- Malwarebytes Premium.
So the bottom line is that the researcher took advantage of the applications that have permissions over the Controlled Folder Access feature and use these permissions in the DLL attack.
Microsoft had to say in their defense that Aoyama has gained access previously to the computer he demonstrated the vulnerability and thus they cannot compensate him for this, which is rather odd. But what is not odd is that you do not even need administrative privileges to hack the ransomware protection of Controlled Folder Access and that is quite disturbing.