Microsoft claims “no known ransomware” runs on Windows 10 S, its newest, security-focused operating system.
The software giant announced the version of Windows earlier this year as the flagship student-focused operating system to ship with its newest Surface Laptop. Microsoft touted the operating system as being less susceptible to ransomware because of its locked-down configuration — to the point where you can’t run any apps outside the protective walled garden of its app store. In order to get an app approved, it has to go through rigorous testing to ensure its integrity. That’s one of several mitigations that helps to protect the operating system to known file-encrypting malware.
We wanted to see if such a bold claim could hold up.
Spoiler alert: It didn’t.
Last week, on its debut day, we got our hands on a new Surface Laptop, the first device of its kind to run Windows 10 S. We booted it up, went through the setup process, created an offline account, and installed a slew of outstanding security patches — like any other ordinary user would (hopefully) do.
And that’s when we asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system?
It took him a little over three hours to bust the operating system’s various layers of security, but he got there.
“I’m honestly surprised it was this easy,” he said in a call after his attack. “When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would’ve wanted more restrictions on trying to run privileged processes instead of it being such a short process.”
But Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn’t allow the user to run anything that isn’t necessary. That means there’s no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it’s off-limits. Bottom line: If it’s not in the app store, it won’t run.
Cracking Windows 10 S was a tougher task than we expected.
But one common attack point exists. Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros. These typically small, script-based programs are designed to automate tasks, but they’re also commonly used by malware writers.
Here’s how he did it.
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows’ Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
But given the dangers associated with macros, Word’s “protected view” blocks macros from running when a file is downloaded from the internet or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document — a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but he would have to manually unblock the file from the file’s properties menu — as easy as clicking a checkbox.)
Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.
From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, “system” privileges, by accessing a “system”-level process and using the same DLL injection method.
By gaining “system” privileges, he had unfettered, remote access to the entire computer.
“From here we can start turning things on and off — antimalware, firewalls, and override sensitive Windows files,” he said. With a few steps, the computer would have been entirely vulnerable and unable to defend against any malware.
“If I wanted to install ransomware, that could be loaded on,” he said. “It’s game over.”
To prove his level of access, he sent me a screenshot with the plaintext password of the Wi-Fi network that the computer was connected to, something only available to “system”-level processes.
“We considered leaving the laptop playing ‘AC/DC Thunderstruck’ on loop for you, but we didn’t want to upset your neighbors or any pets!” he joked.
“We could even take something like Locky, a DLL-based ransomware, and run it so that it would encrypt all the files in your documents and request a key by setting the wallpaper,” he said.
Though he was given permission, Hickey stopped short of installing the ransomware, citing the possible risk to other devices on the network. “We’ve proved the point enough,” he said. “We can do whatever we wanted,” he said.
From popping the shell, which took him “a matter of minutes,” he was able to gain full system-wide access to the operating system in a few hours. “That’s because we knew already of these kinds of attacks and these kinds of techniques, and we know it’s worked for us in the past,” he said.
Hickey did not use any previously-undisclosed or so-called zero-day vulnerabilities to carry out the attack, but he said that this attack chain could be carried out several other ways.
Although Hickey used publicly known techniques that are widely understood by security experts, we nevertheless privately informed Microsoft’s security team of the attack process prior to publication.
For its part, Microsoft rejected the claims.
“In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,” said a spokesperson. “We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
This hack may not have been the prettiest or easiest to launch. You could argue that the hack took too many steps that wouldn’t be replicated in the real world, and that this case would rely on either social engineering or physical access to a device, rather than a weaponized file to launch on a double-click. That said, hackers aren’t known to give up after a little over three hours probing vulnerabilities.
In the end, Microsoft said that “no known ransomware” works on the operating system, but by gaining “system”-level access, we showed that it’s entirely possible to take control of the machine to install ransomware.
If there’s a lesson to be learned (and repeated again and again), it’s that nothing is unhackable.