|
According to google search:
Yes, ransomware actively uses the ability to change Access Control List (ACL) permissions. By modifying ACLs or taking ownership of files, ransomware can bypass security restrictions, remove access barriers, and prevent security tools from stopping the encryption process.
Common techniques and tools ransomware actors use to abuse ACLs include:
Resetting Permissions (icacls): Ransomware families (like Ryuk, WannaCry, and BlackByte) heavily use the native Windows command-line utility icacls (e.g., icacls . /grant Everyone:F /T /C /Q) to wipe out existing access-based restrictions on files and directories, allowing anyone full control.
Taking Ownership (takeown): To modify permissions, a process sometimes needs to become the owner of the file. Ransomware tools like WastedLocker and BitPaymer invoke takeown.exe to seize file ownership before resetting the ACLs.
Disabling Security Tools: Some variants modify the binary ACLs of antivirus and EDR executables to prevent security agents from running or scanning the malicious files
https://superuser.com/questions/1686584/permission-settings-to-protect-shared-folders-from-ransomware-on-windows-10
|