In the fall of 2017, in response to the WannaCry outbreak, Microsoft implemented Ransomware Protection in Windows 10 as a countermeasure. The basis of the ransomware protection is Controlled Folder Access, but this feature is full of holes and many researchers have pointed out various flaws. However, Microsoft says that Controlled Folder Access is a Defense-in-depth security feature and is not subject to bug bounties. In 2021, Forbes published an article titled "Windows 10's Ransomware Protection Is Effective for Protection". To show that the article was wrong, I decided to recheck my previous research on how to inject malicious dll into file explorer in the latest Windows 10. Then I found out that Microsoft had secretly fixed the problem. I was so frustrated that I started investigating to see if there were any other holes in the ransomware protection. As a result, I found a new way to get around the ransomware protection in a very silly way. It was possible not only in Windows 10, but also in Windows 11. In this talk, I will show the previous bypass method, a new ridiculous bypass method, as well as remote attacks using other vulnerabilities, with demonstration videos. It is so simple that anyone can easily imitate it, but please never create ransomware using this method.
About Soya Aoyama
- Soya Aoyama is a cyber security researcher at Fujitsu System Integration Laboratories Limited. Soya has been working for Fujitsu for more than 20 years as a Windows software developer, and has been developing NDIS drivers, Bluetooth profiles, WinSock applications, and more. About seven years ago, Soya started security research, and mainly researches attacks using Windows dlls, and has talked at BSidesLV, GrrCON, ToorCon, DerbyCon, HackMiami, LeHack, BSidesSG and ROOTCON in the past. Soya is founder and organizer of BSides Tokyo, and hosted the first of BSides Tokyo in 2018.