Backup the EFS encryption key file

desk77 · 17 Oct 2017

Yesterday I installed OneDrive app and linked it to my office 365 enterprise University account. Since then, every time I turn on my pc, I receive a warning about backup of the encryption key from EFS application. But I have never used bitlocker.
I did some search online and I got the list of all encrypted files: there are thousands of files and belongs to Apps, like facebook, onedrive, inkscape and so on.
So my questions are:

why did that message suddenly appear?
why are those files encrypted?
do those files have to be encrypted?
bitdefender has just found Gen:Trojan.Heur2.GZ.@FZ@bq2Abpn in temp folder. Could I have got a ransomware that is encrypting all files?

Thanks in advance!

Caledon Ken · 17 Oct 2017

Hi desk77.

Anything is possible but I think the more likely cause is your linking to your University account. You said it started right after you linked. Talk to your University IT support staff and see if they are using or enforcing through group policies.

Assuming you have your data backed up please don't connect your back up until you either hear from IT or are 110% the infection is gone.

Do you know what the date was on your Trojan file?

desk77 · 17 Oct 2017

Caledon Ken said:

Hi desk77.

Anything is possible but I think the more likely cause is your linking to your University account. You said it started right after you linked. Talk to your University IT support staff and see if they are using or enforcing through group policies.

Assuming you have your data backed up please don't connect your back up until you either hear from IT or are 110% the infection is gone.

Do you know what the date was on your Trojan file?

I think the same thing but my university account was already linked to Windows and Office. In fact I didn't have to enter password again. So I can't explain what happens.

About the infection, the infected file is a .tmp file that was already deleted. Given that I have just upgraded to W10 FCU, maybe it was a temp installation file... now I'm doing some system scan with malwarebytes, zemana antimalware, bitdefender and eset to verify if pc is stillinfected

Caledon Ken · 17 Oct 2017

Cool. Lets hope Bitdefender did its job.

PolarNettles · 18 Oct 2017

Bitlocker and EFS are not the same thing. Bitlocker is full-disk encryption; EFS is per-file encryption.

I agree that it's probably some IT policy from your university account. You should backup your key: Backup Encrypting File System Certificate and Key in Windows 10 Security System Tutorials

desk77 · 18 Oct 2017

Caledon Ken said:

Cool. Lets hope Bitdefender did its job.

PolarNettles said:

Bitlocker and EFS are not the same thing. Bitlocker is full-disk encryption; EFS is per-file encryption.

I agree that it's probably some IT policy from your university account. You should backup your key: Backup Encrypting File System Certificate and Key in Windows 10 Security System Tutorials

My IT support staff told me that it doesn't depend on them. So why did those message start to appear?
Anyway, do you think I should make a copy of certificates on a external storage or try to decrypt all files?

Caledon Ken · 18 Oct 2017

You should definitely get a copy of the keys.

Maybe scan your event viewer (filter) and look for the letters EFS. Hopefully your logs go back to the time when you linked OneDrive so you can see what else was happening.

Did you do anything else around the time of the account linking?

Ken