The Ransomware Protection Full of Holes

Presented at A New HOPE (2022), July 23, 2022, 4 p.m. (50 minutes).

In the fall of 2017, after the WannaCry outbreak, Microsoft implemented ransomware protection in Windows 10 to counter it. The basis of this ransomware protection was "controlled folder access," which is a feature full of holes and various flaws pointed out by many researchers. However, Microsoft says that controlled folder access is the defense-in-depth security feature and is not subject to bug bounty. In 2021, Forbes published an article about ransomware protection of Windows 10 being effective for protection. To show that the article was wrong, Soya decided to recheck previous research on how to inject File Explorer with the latest Windows 10, then found that Microsoft had secretly fixed it. Frustrated, Soya started investigating to see if there were any other holes in the ransomware protection and, as a result, found a way to bypass the ransomware protection in a very silly way. It was possible not only on Windows 10 but also on Windows 11.

In this talk, Soya will review the previous bypass method and present a new ridiculous bypass method, as well as remote attacks using other vulnerabilities along with demonstration videos. This is so simple that anyone can easily imitate it. (However, be sure never to create ransomware with this technique.)


Presenters:

  • Soya Aoyama
    **Soya Aoyama (@SoyaAoyama)** is a cybersecurity researcher at Fujitsu System Integration Laboratories Limited. Soya has been working for Fujitsu for more than 20 years as a Windows software developer, and has been developing NDIS drivers, Bluetooth profiles, WinSock applications, and more. About seven years ago, Soya started security research, and mainly researches attacks using Windows DLLs, and has talked at many conferences around the world. Soya is founder and organizer of BSides Tokyo, and hosted the first one in 2018.

Links:

Similar Presentations: