The campaign appears to have first come to light via a forum post in April.
The ransomware, the HP researchers noted, leverages “clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.”
As Dormann observed, it’s recently added a new technique to its arsenal.
Also read: How to Recover From a Ransomware Attack
Sidestepping Windows MOTW Warnings
ACROS Security CEO Mitja Kolsek responded, “Damn it, we’ve just patched the Windows unzip bug to make sure extracted files have MOTW, and now apparently MOTW doesn’t matter because you can slap any signature-looking blob on the file and Windows will trust it?”
Dormann provided little comfort by pointing out, “Well, this appears to only affect things relying on Authenticode.”
Introduced with Windows 10
Dormann later observed that Windows 8.1 does provide a warning dialog, suggesting that the flaw was likely introduced with the release of Windows 10.
As he explained to BleepingComputer, the bug is linked to Windows 10’s “Check apps and files” SmartScreen feature at Windows Security > App & browser control > Reputation-based protection settings.
“This issue is in the new-as-of-Win10 SmartScreen feature,” Dormann said. “And disabling ‘Check apps and files’ reverts Windows to the legacy behavior, where MOTW prompts are unrelated to Authenticode signatures,” he said.
So there’s a trade-off: if you activate the feature, Windows scans for unsigned files, but it doesn’t take much effort to sidestep it. As Dormann told BleepingComputer, “baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled.”
Update: 0patch has released a free temporary micropatch to fix the MOTW problem until Microsoft releases an official fix.