THE RANSOMWARE PROTECTION FULL OF HOLES presented at HITB Singapore 2022

by Soya Aoyama,

Summary : In the fall of 2017, in response to the WannaCry outbreak, Microsoft implemented Ransomware Protection in Windows 10 as a countermeasure. The basis of Ransomware Protection of Windows is Controlled Folder Access, but this feature is full of holes and many researchers have pointed out various flaws. However, Microsoft says that it is a Defense-in-depth security feature and is not subject to bug bounties.

In 2021, Forbes published an article titled “Windows 10’s Ransomware Protection Is Effective for Protection” (although the title seems to have already changed). To show that the article was wrong, I decided to recheck with Windows 11 my past research that injects a malicious DLL into File Explorer and encrypts files. It seems that Microsoft has secretly fixed this issue and files could not be encrypted with my method. I was very frustrated, so I started looking for other holes in the Ransomware Protection and found a new ridiculous bypass method.

In this talk, I will show the previous bypass method, along with the new ridiculous bypass method, as well as remote attacks using other vulnerabilities, supported with demonstration videos.