By Rene Kolga
Nyotron founder and CTO Nir Gaist and I recently led a webinar on the Nyotron Research team’s discovery of the RIPlace evasion technique that malicious actors can use to bypass anti-ransomware technologies and other security solutions. The recording is now available for free here.
Nir explained how the technique leverages a legacy function that you may not have thought about in years – DefineDosDevice – and a symbolic link. As a quick reminder, symlink could point to a file, folder, disk drive, or hypothetically, your family’s secret cheesecake recipe:
When most security products intercept a file replace (basically Rename) operation, they typically call the documented function responsible for resolving the file path that will be replaced. But that function does not construct the full path when an MS-DOS Device (symlink) path is given as the argument of file to replace. However, the actual file replacement (rename) operation succeeds – in other words, the target file is replaced.
The result: when the function that builds the path returns an error, most security products assume that the entire operation did not complete, and skip the execution of the rename operation handling logic. This is what enables the RIPlace evasion technique.
The image below tells the whole story. Look at the second line: the result is “success”, but the Detail column is blank because file operation is “invisible” to a security product monitoring disk activity. The software skips detection logic and does not see the malicious file encryption performed by a ransomware:
Nir also provided a real-time demonstration of an attacker needs only two lines of code to use RIPlace.
Use this link to access the entire webinar.
Additionally, the Nyotron Research team’s full report, an FAQ, and the link to download the free tool you can use to check if your systems are susceptible, are all available on our website: https://www.nyotron.com/riplace.