Blog

Nyotron Discovers Potentially Unstoppable Ransomware Evasion Technique: “RIPlace”

It seems like all news reports on successful ransomware attacks quote security experts who provide the same two pieces of advice: stay up-to-date on all software patches, and implement modern endpoint protection tools (e.g., antivirus) to prevent malware-laden emails from getting through to users. This combination has provided organizations with somewhat adequate defense – until now. 

Nyotron’s research team has discovered a new evasion technique that, if leveraged by ransomware, can provide the bad guys with a significant advantage. We call the technique “RIPlace”, and while it has not been detected in the wild (at least as far as we know), we have already alerted Microsoft and security vendors. 

We will provide a live demo of how RIPlace can bypass anti-ransomware technologies during our December 12 webinar “‘RIPlace’ – Does It Make Ransomware Unstoppable?” – Follow this link to register to attend.

Are You Vulnerable?

We’ve also developed a free tool you can use to check your systems for the RIPlace susceptibility. You can access this tool on our website: https://www.nyotron.com/riplace 

Practically Unstoppable

RIPlace is a Windows file system technique that, when used to maliciously encrypt files, can evade most existing anti-ransomware methods. In fact, all antivirus products we have tested to date were bypassed. Even Endpoint Detection and Response (EDR) products that are supposed to keep track of all data-related activity are completely blind to this technique, which means these operations will not be visible for future incident response and investigation purposes. 

What makes RIPlace so insidious is: (1) it leverages a Windows operating system design flaw rather than a flaw in specific piece of software; and (2) it is very easy to implement – it only requires two lines of code. 

Typically, ransomware follows these standard steps: 

  1. Open and read original file
  2. Encrypt content in memory
  3. Destroy the original file by:
    1. Writing encrypted content into original file,
    2. OR saving encrypted file to disk, while removing the original file using the DeleteFile operation,
    3. OR saving encrypted file to disk, then replacing it with the original file using the Rename operation.

The RIPlace technique follows option C (with a small modification), and we believe that malicious actors may abuse this technique in order to bypass security products and avoid evidence capture.

Watch RIPlace Fool AV

We have produced two videos to show how RIPlace tricks two popular endpoint security products – Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) – and maliciously encrypts files on a fully-patched Windows 10 system. 

Both videos are on our YouTube channel:

To learn more about RIPlace and find out if your system is vulnerable, please visit https://www.nyotron.com/riplace

Use this link to register to attend our live webinar “RIPlace” – Does It Make Ransomware Unstoppable?” on December 12.